CVE-2026-46097
Description
In the Linux kernel, the following vulnerability has been resolved:
Input: edt-ft5x06 - fix use-after-free in debugfs teardown
The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer.
To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fix for CVE-2026-46097 addresses a use-after-free vulnerability in the Linux kernel's edt-ft5x06 driver debugfs teardown.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's EDT-FT5x06 touchscreen driver (drivers/input/touchscreen/edt-ft5x06.c). The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed manual debugfs teardown, relying on the I2C core. However, this creates a window where debugfs files remain accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer, leading to a potential use-after-free. [1]
Exploitation
An attacker with the ability to trigger debugfs file operations while the driver is being removed can exploit this race condition. Specifically, after raw_buffer is freed but before the debugfs files are fully torn down by the I2C core, a concurrent read from the debugfs file could access the freed memory. No special privileges beyond local access to debugfs are required, but the race window is small. [1]
Impact
Successful exploitation could lead to a use-after-free condition, potentially allowing an attacker to read kernel memory or cause a denial of service (system crash). The impact is limited to information disclosure or system instability. [1]
Mitigation
The fix is included in Linux kernel stable commit 9f6c5e7b747d40e1c65cbfcb975857d25154c075. [1] It protects the freeing of raw_buffer with the device mutex and sets raw_buffer to NULL. The debugfs read function already checks for NULL under the same mutex, closing the race window. Users should apply the patch from the stable kernel tree. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
6a516d4388662Input: edt-ft5x06 - fix use-after-free in debugfs teardown
1 file changed · +3 −1
drivers/input/touchscreen/edt-ft5x06.c+3 −1 modifieddiff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c index bf498bd4dea965..4efdb467b6c614 100644 --- a/drivers/input/touchscreen/edt-ft5x06.c +++ b/drivers/input/touchscreen/edt-ft5x06.c @@ -829,7 +829,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata) static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata) { + guard(mutex)(&tsdata->mutex); + kfree(tsdata->raw_buffer); + tsdata->raw_buffer = NULL; } #else -- cgit 1.3-korg
9f6c5e7b747dInput: edt-ft5x06 - fix use-after-free in debugfs teardown
1 file changed · +3 −1
drivers/input/touchscreen/edt-ft5x06.c+3 −1 modifieddiff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c index d0ab644be0069b..0042361d17ad46 100644 --- a/drivers/input/touchscreen/edt-ft5x06.c +++ b/drivers/input/touchscreen/edt-ft5x06.c @@ -829,7 +829,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata) static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata) { + guard(mutex)(&tsdata->mutex); + kfree(tsdata->raw_buffer); + tsdata->raw_buffer = NULL; } #else -- cgit 1.3-korg
f5f9e0706051Input: edt-ft5x06 - fix use-after-free in debugfs teardown
1 file changed · +3 −1
drivers/input/touchscreen/edt-ft5x06.c+3 −1 modifieddiff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c index ba8ff65f7ea671..d3b1177185a3b3 100644 --- a/drivers/input/touchscreen/edt-ft5x06.c +++ b/drivers/input/touchscreen/edt-ft5x06.c @@ -804,7 +804,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata) static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata) { + guard(mutex)(&tsdata->mutex); + kfree(tsdata->raw_buffer); + tsdata->raw_buffer = NULL; } #else -- cgit 1.3-korg
a516d4388662Input: edt-ft5x06 - fix use-after-free in debugfs teardown
1 file changed · +3 −1
drivers/input/touchscreen/edt-ft5x06.c+3 −1 modifieddiff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c index bf498bd4dea965..4efdb467b6c614 100644 --- a/drivers/input/touchscreen/edt-ft5x06.c +++ b/drivers/input/touchscreen/edt-ft5x06.c @@ -829,7 +829,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata) static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata) { + guard(mutex)(&tsdata->mutex); + kfree(tsdata->raw_buffer); + tsdata->raw_buffer = NULL; } #else -- cgit 1.3-korg
f5f9e0706051Input: edt-ft5x06 - fix use-after-free in debugfs teardown
1 file changed · +3 −1
drivers/input/touchscreen/edt-ft5x06.c+3 −1 modifieddiff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c index ba8ff65f7ea671..d3b1177185a3b3 100644 --- a/drivers/input/touchscreen/edt-ft5x06.c +++ b/drivers/input/touchscreen/edt-ft5x06.c @@ -804,7 +804,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata) static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata) { + guard(mutex)(&tsdata->mutex); + kfree(tsdata->raw_buffer); + tsdata->raw_buffer = NULL; } #else -- cgit 1.3-korg
9f6c5e7b747dInput: edt-ft5x06 - fix use-after-free in debugfs teardown
1 file changed · +3 −1
drivers/input/touchscreen/edt-ft5x06.c+3 −1 modifieddiff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c index d0ab644be0069b..0042361d17ad46 100644 --- a/drivers/input/touchscreen/edt-ft5x06.c +++ b/drivers/input/touchscreen/edt-ft5x06.c @@ -829,7 +829,10 @@ static void edt_ft5x06_ts_prepare_debugfs(struct edt_ft5x06_ts_data *tsdata) static void edt_ft5x06_ts_teardown_debugfs(struct edt_ft5x06_ts_data *tsdata) { + guard(mutex)(&tsdata->mutex); + kfree(tsdata->raw_buffer); + tsdata->raw_buffer = NULL; } #else -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing synchronization and NULL-pointer cleanup in debugfs teardown allows a concurrent debugfs read to access freed raw_buffer memory."
Attack vector
An attacker with local access to the debugfs filesystem can read the debugfs file exposed by the edt-ft5x06 touchscreen driver while the device is being removed. The I2C core removes the debugfs directory asynchronously after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer, creating a race window. During that window, a concurrent read operation on the debugfs file can dereference the freed raw_buffer pointer, causing a use-after-free [patch_id=2659733]. No authentication beyond local debugfs access is required.
Affected code
The vulnerable function is edt_ft5x06_ts_teardown_debugfs() in drivers/input/touchscreen/edt-ft5x06.c [patch_id=2659733]. The function frees tsdata->raw_buffer without holding the device mutex and without NULLing the pointer afterward.
What the fix does
The patch adds a guard(mutex) around the teardown function to synchronize with the debugfs read handler, which already acquires the same mutex before checking raw_buffer. It also sets raw_buffer to NULL after kfree, so that any read that enters after the mutex is released sees a NULL pointer and safely returns without accessing freed memory [patch_id=2659733]. This closes the race window between teardown and concurrent debugfs reads.
Preconditions
- configThe edt-ft5x06 touchscreen driver must be loaded and its debugfs directory must be accessible to the attacker (typically requires local access to debugfs).
- inputThe device must be undergoing removal (unbind or module unload) while a concurrent debugfs read is in progress.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.