CVE-2026-46277
Description
Linux kernel vulnerability allows potential use-after-free in device folio handling, impacting memory management.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel vulnerability allows potential use-after-free in device folio handling, impacting memory management.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's mm/zone_device component. This occurs because a device folio's contents can change immediately after ->folio_free() is called, as the folio might be reallocated by a driver with a different order. The fix ensures that a local stack variable is used when calling percpu_ref_put_many() instead of touching the folio again to extract the pgmap. This vulnerability affects versions of the Linux kernel prior to the fix applied in commit 85be0a262e39c706edb53c88af8afde2e98222ba [1].
Exploitation
Exploitation of this vulnerability requires an attacker to trigger a specific memory management sequence within the kernel where a device folio is freed and then potentially reallocated before its reference count is decremented. This could involve a race condition between the kernel's memory management and a device driver's operations. Successful exploitation would likely require elevated privileges or specific kernel interaction capabilities.
Impact
Successful exploitation of this use-after-free vulnerability could lead to kernel memory corruption. This may result in a denial of service, information disclosure, or potentially privilege escalation, depending on how the corrupted memory is subsequently used by the kernel or a malicious actor. The exact impact is not fully detailed in the available references.
Mitigation
The vulnerability has been resolved in the Linux kernel via commit 85be0a262e39c706edb53c88af8afde2e98222ba [1]. Users should update to a kernel version containing this fix. No specific workaround is mentioned in the available references, and it is not indicated whether this vulnerability is part of any known exploited vulnerabilities (KEV) list or if the affected versions are end-of-life.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4399289849560mm/zone_device: do not touch device folio after calling ->folio_free()
1 file changed · +1 −2
mm/memremap.c+1 −2 modifieddiff --git a/mm/memremap.c b/mm/memremap.c index ac7be07e3361a..053842d45cb10 100644 --- a/mm/memremap.c +++ b/mm/memremap.c @@ -454,7 +454,7 @@ void free_zone_device_folio(struct folio *folio) if (WARN_ON_ONCE(!pgmap->ops || !pgmap->ops->folio_free)) break; pgmap->ops->folio_free(folio); - percpu_ref_put_many(&folio->pgmap->ref, nr); + percpu_ref_put_many(&pgmap->ref, nr); break; case MEMORY_DEVICE_GENERIC: -- cgit 1.3-korg
85be0a262e39mm/zone_device: do not touch device folio after calling ->folio_free()
1 file changed · +1 −2
mm/memremap.c+1 −2 modifieddiff --git a/mm/memremap.c b/mm/memremap.c index ac7be07e3361a..053842d45cb10 100644 --- a/mm/memremap.c +++ b/mm/memremap.c @@ -454,7 +454,7 @@ void free_zone_device_folio(struct folio *folio) if (WARN_ON_ONCE(!pgmap->ops || !pgmap->ops->folio_free)) break; pgmap->ops->folio_free(folio); - percpu_ref_put_many(&folio->pgmap->ref, nr); + percpu_ref_put_many(&pgmap->ref, nr); break; case MEMORY_DEVICE_GENERIC: -- cgit 1.3-korg
399289849560mm/zone_device: do not touch device folio after calling ->folio_free()
1 file changed · +1 −2
mm/memremap.c+1 −2 modifieddiff --git a/mm/memremap.c b/mm/memremap.c index ac7be07e3361a..053842d45cb10 100644 --- a/mm/memremap.c +++ b/mm/memremap.c @@ -454,7 +454,7 @@ void free_zone_device_folio(struct folio *folio) if (WARN_ON_ONCE(!pgmap->ops || !pgmap->ops->folio_free)) break; pgmap->ops->folio_free(folio); - percpu_ref_put_many(&folio->pgmap->ref, nr); + percpu_ref_put_many(&pgmap->ref, nr); break; case MEMORY_DEVICE_GENERIC: -- cgit 1.3-korg
85be0a262e39mm/zone_device: do not touch device folio after calling ->folio_free()
1 file changed · +1 −2
mm/memremap.c+1 −2 modifieddiff --git a/mm/memremap.c b/mm/memremap.c index ac7be07e3361a..053842d45cb10 100644 --- a/mm/memremap.c +++ b/mm/memremap.c @@ -454,7 +454,7 @@ void free_zone_device_folio(struct folio *folio) if (WARN_ON_ONCE(!pgmap->ops || !pgmap->ops->folio_free)) break; pgmap->ops->folio_free(folio); - percpu_ref_put_many(&folio->pgmap->ref, nr); + percpu_ref_put_many(&pgmap->ref, nr); break; case MEMORY_DEVICE_GENERIC: -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The code incorrectly accesses a freed memory region after calling ->folio_free()."
Attack vector
An attacker can trigger this vulnerability by interacting with zone device memory management operations. Specifically, the issue arises when the system calls `folio_free()` on a device folio. If the folio is reallocated by a driver with a different order immediately after `folio_free()` returns, subsequent access to the original folio's `pgmap` can lead to a use-after-free condition [patch_id=5239443].
Affected code
The vulnerability exists in the `free_zone_device_folio` function within the `mm/memremap.c` file. The issue specifically concerns the handling of device folios and their associated `pgmap` references after the `folio_free()` operation.
What the fix does
The patch modifies the `free_zone_device_folio` function in `mm/memremap.c` [patch_id=5239443]. Previously, the code attempted to access `folio->pgmap->ref` after calling `pgmap->ops->folio_free(folio)`. The fix replaces this with `pgmap->ref`, utilizing a local stack variable `pgmap` that was assigned before the `folio_free` call. This prevents dereferencing a potentially freed or reallocated folio structure.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.