CVE-2026-46087
Description
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
Destroy the DAMON context and reset the global pointer when damon_start() fails. Otherwise, the context allocated by damon_stat_build_ctx() is leaked, and the stale damon_stat_context pointer will be overwritten on the next enable attempt, making the old allocation permanently unreachable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's DAMON stat feature occurs when `damon_start()` fails, leaving the allocated context permanently unreachable.
Vulnerability
In the Linux kernel's mm/damon/stat subsystem, function damon_stat_start() allocates a DAMON context via damon_stat_build_ctx() and then invokes damon_start(). If damon_start() fails, the code previously did not destroy the context or reset the global pointer damon_stat_context. This results in a memory leak where the allocated context is never freed, and the stale pointer prevents the old allocation from being accessed on subsequent enable attempts. The vulnerability exists in kernel versions prior to the fix (see [1]).
Exploitation
An attacker or system administrator triggering a failure condition in damon_start() (e.g., due to resource constraints or configuration errors) while enabling DAMON stat will cause the memory leak. No special privileges beyond those required to enable DAMON (typically root or CAP_SYS_ADMIN) are needed. The sequence: enable DAMON stat via the appropriate sysfs/debugfs interface, causing damon_start() to fail; the leaked context memory accumulates over repeated attempts.
Impact
Successful exploitation leads to a kernel memory leak. The leaked memory cannot be reclaimed without a reboot, potentially exhausting system memory over time and causing denial of service. There is no privilege escalation or direct data disclosure; the impact is availability degradation.
Mitigation
The issue is fixed in the Linux kernel commit referenced as [1]. Users should update to a kernel version containing the fix (e.g., apply the patch from the stable tree). As a workaround, avoid triggering failures in damon_start() when enabling DAMON stat, or avoid using the DAMON stat feature entirely until the patch is applied. No EOL status or KEV listing is known at this time.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
68a62c58411cbmm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
1 file changed · +4 −2
mm/damon/stat.c+4 −2 modifieddiff --git a/mm/damon/stat.c b/mm/damon/stat.c index 3a55f6e41dc4c7..eb728a89924e10 100644 --- a/mm/damon/stat.c +++ b/mm/damon/stat.c @@ -247,8 +247,11 @@ static int damon_stat_start(void) if (!damon_stat_context) return -ENOMEM; err = damon_start(&damon_stat_context, 1, true); - if (err) + if (err) { + damon_destroy_ctx(damon_stat_context); + damon_stat_context = NULL; return err; + } damon_stat_last_refresh_jiffies = jiffies; call_control.data = damon_stat_context; -- cgit 1.3-korg
50bc1d7e0f3bmm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
1 file changed · +4 −2
mm/damon/stat.c+4 −2 modifieddiff --git a/mm/damon/stat.c b/mm/damon/stat.c index 60351a71946063..99ba346f9e3257 100644 --- a/mm/damon/stat.c +++ b/mm/damon/stat.c @@ -255,8 +255,11 @@ static int damon_stat_start(void) if (!damon_stat_context) return -ENOMEM; err = damon_start(&damon_stat_context, 1, true); - if (err) + if (err) { + damon_destroy_ctx(damon_stat_context); + damon_stat_context = NULL; return err; + } damon_stat_last_refresh_jiffies = jiffies; call_control.data = damon_stat_context; -- cgit 1.3-korg
e04ed278d25bmm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
1 file changed · +4 −2
mm/damon/stat.c+4 −2 modifieddiff --git a/mm/damon/stat.c b/mm/damon/stat.c index cf2c5a541eeeaa..5a742fc157e4c7 100644 --- a/mm/damon/stat.c +++ b/mm/damon/stat.c @@ -249,8 +249,11 @@ static int damon_stat_start(void) if (!damon_stat_context) return -ENOMEM; err = damon_start(&damon_stat_context, 1, true); - if (err) + if (err) { + damon_destroy_ctx(damon_stat_context); + damon_stat_context = NULL; return err; + } damon_stat_last_refresh_jiffies = jiffies; call_control.data = damon_stat_context; -- cgit 1.3-korg
e04ed278d25bmm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
1 file changed · +4 −2
mm/damon/stat.c+4 −2 modifieddiff --git a/mm/damon/stat.c b/mm/damon/stat.c index cf2c5a541eeeaa..5a742fc157e4c7 100644 --- a/mm/damon/stat.c +++ b/mm/damon/stat.c @@ -249,8 +249,11 @@ static int damon_stat_start(void) if (!damon_stat_context) return -ENOMEM; err = damon_start(&damon_stat_context, 1, true); - if (err) + if (err) { + damon_destroy_ctx(damon_stat_context); + damon_stat_context = NULL; return err; + } damon_stat_last_refresh_jiffies = jiffies; call_control.data = damon_stat_context; -- cgit 1.3-korg
50bc1d7e0f3bmm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
1 file changed · +4 −2
mm/damon/stat.c+4 −2 modifieddiff --git a/mm/damon/stat.c b/mm/damon/stat.c index 60351a71946063..99ba346f9e3257 100644 --- a/mm/damon/stat.c +++ b/mm/damon/stat.c @@ -255,8 +255,11 @@ static int damon_stat_start(void) if (!damon_stat_context) return -ENOMEM; err = damon_start(&damon_stat_context, 1, true); - if (err) + if (err) { + damon_destroy_ctx(damon_stat_context); + damon_stat_context = NULL; return err; + } damon_stat_last_refresh_jiffies = jiffies; call_control.data = damon_stat_context; -- cgit 1.3-korg
8a62c58411cbmm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()
1 file changed · +4 −2
mm/damon/stat.c+4 −2 modifieddiff --git a/mm/damon/stat.c b/mm/damon/stat.c index 3a55f6e41dc4c7..eb728a89924e10 100644 --- a/mm/damon/stat.c +++ b/mm/damon/stat.c @@ -247,8 +247,11 @@ static int damon_stat_start(void) if (!damon_stat_context) return -ENOMEM; err = damon_start(&damon_stat_context, 1, true); - if (err) + if (err) { + damon_destroy_ctx(damon_stat_context); + damon_stat_context = NULL; return err; + } damon_stat_last_refresh_jiffies = jiffies; call_control.data = damon_stat_context; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing cleanup on error path in damon_stat_start() — when damon_start() fails, the previously allocated DAMON context is neither destroyed nor the global pointer reset, causing a memory leak."
Attack vector
An attacker with the ability to trigger the DAMON_STAT module's start operation (e.g., via writing to the damon_stat sysfs interface) can cause a memory leak. Each time damon_start() fails — for example, due to resource exhaustion or a transient kernel condition — the DAMON context allocated by damon_stat_build_ctx() is leaked because the error path in damon_stat_start() returns immediately without calling damon_destroy_ctx() or resetting the global damon_stat_context pointer [patch_id=2659809]. The stale pointer is then overwritten on the next enable attempt, making the old allocation permanently unreachable. Repeated failures can exhaust kernel memory.
Affected code
The vulnerable function is `damon_stat_start()` in `mm/damon/stat.c` [patch_id=2659809]. The error path after a failed `damon_start()` call lacked calls to `damon_destroy_ctx()` and a reset of the global `damon_stat_context` pointer.
What the fix does
The patch adds a cleanup block inside the existing `if (err)` branch in damon_stat_start() [patch_id=2659809]. Before returning the error, it now calls `damon_destroy_ctx(damon_stat_context)` to free the allocated context and sets `damon_stat_context = NULL` to clear the stale global pointer. This ensures that on any damon_start() failure, the memory is properly released and the global state remains consistent for future enable attempts.
Preconditions
- configThe DAMON_STAT module must be built into or loaded on the kernel.
- inputAn attacker must be able to trigger the damon_stat_start() function, e.g., by writing to the damon_stat control interface.
- inputdamon_start() must fail (e.g., due to resource exhaustion or internal error) after damon_stat_build_ctx() has succeeded.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.