CVE-2026-43388

EPSS 0.02%
Veröffentlicht 08.05.2026 14:21:33
Zuletzt bearbeitet 12.05.2026 14:10:27
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

mm/damon/core: clear walk_control on inactive context in damos_walk()

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: clear walk_control on inactive context in damos_walk()

damos_walk() sets ctx->walk_control to the caller-provided control
structure before checking whether the context is running.  If the context
is inactive (damon_is_running() returns false), the function returns
-EINVAL without clearing ctx->walk_control.  This leaves a dangling
pointer to a stack-allocated structure that will be freed when the caller
returns.

This is structurally identical to the bug fixed in commit f9132fbc2e83
("mm/damon/core: remove call_control in inactive contexts") for
damon_call(), which had the same pattern of linking a control object and
returning an error without unlinking it.

The dangling walk_control pointer can cause:
1. Use-after-free if the context is later started and kdamond
   dereferences ctx->walk_control (e.g., in damos_walk_cancel()
   which writes to control->canceled and calls complete())
2. Permanent -EBUSY from subsequent damos_walk() calls, since the
   stale pointer is non-NULL

Nonetheless, the real user impact is quite restrictive.  The
use-after-free is impossible because there is no damos_walk() callers who
starts the context later.  The permanent -EBUSY can actually confuse
users, as DAMON is not running.  But the symptom is kept only while the
context is turned off.  Turning it on again will make DAMON internally
uses a newly generated damon_ctx object that doesn't have the invalid
damos_walk_control pointer, so everything will work fine again.

Fix this by clearing ctx->walk_control under walk_control_lock before
returning -EINVAL, mirroring the fix pattern from f9132fbc2e83.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

CNA 2 VulnDex Vulnerability Enrichment 11

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61

Version < ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b

Status affected

Version bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61

Version < 9320c77134ab8d7701e20608bbf08517df4fa321

Status affected

Version bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61

Version < d210fdcac9c0d1380eab448aebc93f602c1cd4e6

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.14

Status affected

Version 0

Version < 6.14

Status unaffected

Version <= 6.18.*

Version 6.18.19

Status unaffected

Version <= 6.19.*

Version 6.19.9

Status unaffected

Version <= *

Version 7.0

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.063

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b

https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321

https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6

https://nvd.nist.gov/vuln/detail/CVE-2026-43388

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43388

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43388

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43388