← All advisories

Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46285

CVE-2026-46285

Description

Linux kernel use-after-free vulnerability in mtd:docg3 allows local privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel use-after-free vulnerability in mtd:docg3 allows local privilege escalation.

Vulnerability

A use-after-free vulnerability exists in the docg3_release() function within the Linux kernel's mtd:docg3 driver. The docg3 pointer is dereferenced after being freed by doc_release_device(), leading to a crash or potential exploitation.

Exploitation

An attacker with local access and the ability to trigger the docg3_release() function could exploit this vulnerability. The vulnerability occurs when doc_release_device() frees the docg3 struct, and subsequently, docg3->cascade->bch attempts to dereference the already freed pointer.

Impact

Successful exploitation of this use-after-free vulnerability could lead to a kernel crash, potentially resulting in a denial of service. In some scenarios, it might also allow for privilege escalation or arbitrary code execution within the kernel context.

Mitigation

This vulnerability has been resolved in the Linux kernel. The fix involves modifying docg3_release() to access cascade->bch directly, avoiding the dereference of the freed docg3 pointer. Users should update to a patched kernel version. No specific version information or patch release date is available in the provided references [1].

References

Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Linux/Kernelllm-fuzzy

Patches

16

ca19808bc6fa

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 7.1-rc1via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 33050a2a80f79..603fd0efc2ea2 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

2bf706fe7831

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 6.1.175via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 8cb25cfd9c10a..2f82bc7c07931 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

d89044889ecd

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 6.18.27via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index c93769c233d9a..a46010ea459a3 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

8408655ec834

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 5.10.258via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index fa42473d04c1b..378239c7513e0 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2042,7 +2042,6 @@ err_probe:
 static int docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2050,7 +2049,7 @@ static int docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 	return 0;
 }
 
-- 
cgit 1.3-korg

f5d2ed4ed47d

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 5.15.209via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 25a7df6448028..7de576404b14f 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2041,7 +2041,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2049,7 +2048,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

d26f8c361f75

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 6.6.140via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index a2b643af70194..e37fb11556479 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

16f6588a3b7a

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 6.12.86via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index a2b643af70194..e37fb11556479 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

d49628d63d4e

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJames KimFixed in 7.0.4via kernel-cna

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 33050a2a80f79..603fd0efc2ea2 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

d49628d63d4e

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 33050a2a80f79..603fd0efc2ea2 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

ca19808bc6fa

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 33050a2a80f79..603fd0efc2ea2 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

2bf706fe7831

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 8cb25cfd9c10a..2f82bc7c07931 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

d89044889ecd

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index c93769c233d9a..a46010ea459a3 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

f5d2ed4ed47d

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index 25a7df6448028..7de576404b14f 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2041,7 +2041,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2049,7 +2048,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

16f6588a3b7a

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index a2b643af70194..e37fb11556479 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

8408655ec834

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index fa42473d04c1b..378239c7513e0 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2042,7 +2042,6 @@ err_probe:
 static int docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2050,7 +2049,7 @@ static int docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 	return 0;
 }
 
-- 
cgit 1.3-korg

d26f8c361f75

mtd: docg3: fix use-after-free in docg3_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJames Kimvia nvd-ref

1 file changed · +1 −3

drivers/mtd/devices/docg3.c+1 −3 modified

diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
index a2b643af70194..e37fb11556479 100644
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -2049,7 +2049,6 @@ err_probe:
 static void docg3_release(struct platform_device *pdev)
 {
 	struct docg3_cascade *cascade = platform_get_drvdata(pdev);
-	struct docg3 *docg3 = cascade->floors[0]->priv;
 	int floor;
 
 	doc_unregister_sysfs(pdev, cascade);
@@ -2057,7 +2056,7 @@ static void docg3_release(struct platform_device *pdev)
 		if (cascade->floors[floor])
 			doc_release_device(cascade->floors[floor]);
 
-	bch_free(docg3->cascade->bch);
+	bch_free(cascade->bch);
 }
 
 #ifdef CONFIG_OF
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The docg3_release function dereferences a pointer after it has been freed."

Attack vector

An attacker can trigger this vulnerability by causing the docg3_release function to execute. This function is responsible for releasing resources associated with the docg3 device. The vulnerability occurs when the `doc_release_device()` function is called within a loop, which frees the `docg3` struct. Subsequently, the code attempts to access members of the now-freed `docg3` struct, leading to a use-after-free condition.

Affected code

The vulnerability exists in the `docg3_release` function within the file `drivers/mtd/devices/docg3.c`. Specifically, the issue arises from the order of operations where `doc_release_device()` is called within a loop, freeing the `docg3` struct, and then `docg3->cascade->bch` is accessed after the loop.

What the fix does

The patch modifies the `docg3_release` function to directly access `cascade->bch` instead of `docg3->cascade->bch` [patch_id=5239489]. This is possible because `docg3->cascade` points to the same `cascade` struct which is already available as a local variable. This change prevents the dereferencing of the `docg3` pointer after it has been freed by `doc_release_device()`, thus resolving the use-after-free vulnerability.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.