{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46121", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.098Z", "datePublished": "2026-05-28T09:35:36.292Z", "dateUpdated": "2026-05-28T09:35:36.292Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:35:36.292Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock\n\nPatch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".\n\nReads of 'memcg_path' and 'path' files in DAMON sysfs interface could race\nwith their writes, results in use-after-free. Fix those.\n\n\nThis patch (of 2):\n\ndamon_sysfs_scheme_filter->mmecg_path can be read and written by users,\nvia DAMON sysfs memcg_path file. It can also be indirectly read, for the\nparameters {on,off}line committing to DAMON. The reads for parameters\ncommitting are protected by damon_sysfs_lock to avoid the sysfs files\nbeing destroyed while any of the parameters are being read. But the\nuser-driven direct reads and writes are not protected by any lock, while\nthe write is deallocating the memcg_path-pointing buffer. As a result,\nthe readers could read the already freed buffer (user-after-free). Note\nthat the user-reads don't race when the same open file is used by the\nwriter, due to kernfs's open file locking. Nonetheless, doing the reads\nand writes with separate open files would be common. Fix it by protecting\nboth the user-direct reads and writes with damon_sysfs_lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/damon/sysfs-schemes.c"], "versions": [{"version": "490a43d07f1663d827e802720d30cbc0494e4f81", "lessThan": "b1e9f2d5870776347edef927f9bb3ea19b8e3abb", "status": "affected", "versionType": "git"}, {"version": "c5d5b0047b0c0f304608f3824139f7bd34c48413", "lessThan": "c88802d0e8edd14b6cd2daf3000f99adbc4c85c5", "status": "affected", "versionType": "git"}, {"version": "4f489fe6afb395dbc79840efa3c05440b760d883", "lessThan": "eafd6f5372d29b0dd213799b92c2c9c7ad31d7da", "status": "affected", "versionType": "git"}, {"version": "4f489fe6afb395dbc79840efa3c05440b760d883", "lessThan": "baecc45ad60e621ef14d6c1e7f41ef36bbfdf910", "status": "affected", "versionType": "git"}, {"version": "4f489fe6afb395dbc79840efa3c05440b760d883", "lessThan": "1e68eb96e8beb1abefd12dd22c5637795d8a877e", "status": "affected", "versionType": "git"}, {"version": "4a158ac0538dd5695eeaa00aa0720d711f3e4ef1", "status": "affected", "versionType": "git"}, {"version": "6.6.96", "lessThan": "6.6.140", "status": "affected", "versionType": "semver"}, {"version": "6.12.36", "lessThan": "6.12.88", "status": "affected", "versionType": "semver"}, {"version": "6.15.5", "lessThan": "6.16", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/damon/sysfs-schemes.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.96", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.36", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.1-rc2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b1e9f2d5870776347edef927f9bb3ea19b8e3abb"}, {"url": "https://git.kernel.org/stable/c/c88802d0e8edd14b6cd2daf3000f99adbc4c85c5"}, {"url": "https://git.kernel.org/stable/c/eafd6f5372d29b0dd213799b92c2c9c7ad31d7da"}, {"url": "https://git.kernel.org/stable/c/baecc45ad60e621ef14d6c1e7f41ef36bbfdf910"}, {"url": "https://git.kernel.org/stable/c/1e68eb96e8beb1abefd12dd22c5637795d8a877e"}], "title": "mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock\n\nPatch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".\n\nReads of 'memcg_path' and 'path' files in DAMON sysfs interface could race\nwith their writes, results in use-after-free. Fix those.\n\n\nThis patch (of 2):\n\ndamon_sysfs_scheme_filter->mmecg_path can be read and written by users,\nvia DAMON sysfs memcg_path file. It can also be indirectly read, for the\nparameters {on,off}line committing to DAMON. The reads for parameters\ncommitting are protected by damon_sysfs_lock to avoid the sysfs files\nbeing destroyed while any of the parameters are being read. But the\nuser-driven direct reads and writes are not protected by any lock, while\nthe write is deallocating the memcg_path-pointing buffer. As a result,\nthe readers could read the already freed buffer (user-after-free). Note\nthat the user-reads don't race when the same open file is used by the\nwriter, due to kernfs's open file locking. Nonetheless, doing the reads\nand writes with separate open files would be common. Fix it by protecting\nboth the user-direct reads and writes with damon_sysfs_lock."}], "id": "CVE-2026-46121", "lastModified": "2026-05-28T13:44:01.663", "metrics": {}, "published": "2026-05-28T10:16:27.600", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e68eb96e8beb1abefd12dd22c5637795d8a877e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b1e9f2d5870776347edef927f9bb3ea19b8e3abb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/baecc45ad60e621ef14d6c1e7f41ef36bbfdf910"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c88802d0e8edd14b6cd2daf3000f99adbc4c85c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eafd6f5372d29b0dd213799b92c2c9c7ad31d7da"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[490a43d07f1663d827e802720d30cbc0494e4f81,b1e9f2d5870776347edef927f9bb3ea19b8e3abb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c5d5b0047b0c0f304608f3824139f7bd34c48413,c88802d0e8edd14b6cd2daf3000f99adbc4c85c5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4f489fe6afb395dbc79840efa3c05440b760d883,baecc45ad60e621ef14d6c1e7f41ef36bbfdf910)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4f489fe6afb395dbc79840efa3c05440b760d883,b1e9f2d5870776347edef927f9bb3ea19b8e3abb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4f489fe6afb395dbc79840efa3c05440b760d883,eafd6f5372d29b0dd213799b92c2c9c7ad31d7da)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4f489fe6afb395dbc79840efa3c05440b760d883,1e68eb96e8beb1abefd12dd22c5637795d8a877e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4a158ac0538dd5695eeaa00aa0720d711f3e4ef1,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.6.96,6.6.140)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.12.36,6.12.88)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.15.5,6.16)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.140,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.88,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.30,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.7,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-28T11:30:15.486075+00:00", "updated": "2026-05-28T12:00:12.592379+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}