7.8

CVE-2026-46285

mtd: docg3: fix use-after-free in docg3_release()

In the Linux kernel, the following vulnerability has been resolved:

mtd: docg3: fix use-after-free in docg3_release()

In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.

Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.8 < 5.10.258
LinuxLinux Kernel Version >= 5.11 < 5.15.209
LinuxLinux Kernel Version >= 5.16 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.86
LinuxLinux Kernel Version >= 6.13 < 6.18.27
LinuxLinux Kernel Version >= 6.19 < 7.0.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.026
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391
Patch
https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17
Patch
https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e
Patch
https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98
Patch
https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc
Patch
https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679
Patch
https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee
Patch
https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339
Patch