CVE-2026-46277 in Linux
Summary
by MITRE • 06/08/2026
In the Linux kernel, the following vulnerability has been resolved:
mm/zone_device: do not touch device folio after calling ->folio_free()
The contents of a device folio can immediately change after calling ->folio_free(), as the folio may be reallocated by a driver with a different order. Instead of touching the folio again to extract the pgmap, use the local stack variable when calling percpu_ref_put_many().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/08/2026
This vulnerability exists in the linux kernel's memory management subsystem particularly within the zone_device implementation where improper handling of device folios can lead to critical memory safety issues. The flaw occurs when the kernel attempts to access device folios after invoking the ->folio_free() callback function, creating a race condition scenario where the folio's memory content may have already been modified or reallocated by the underlying device driver. This represents a classic case of use-after-free vulnerability pattern where the system continues to reference memory that has been freed but not yet fully reclaimed by the memory management subsystem. The issue specifically impacts the memory management layer's ability to properly track and manage device-backed memory regions, potentially leading to data corruption or system instability.
The technical root cause stems from improper synchronization between the kernel's memory management operations and device driver callbacks. When ->folio_free() is called, it signals to the device driver that the folio is no longer needed by the kernel's memory subsystem, but the driver may immediately reallocate the memory region for its own purposes. The kernel's subsequent attempt to access the same folio structure for extracting pgmap information creates a scenario where the memory location may have been reused with different characteristics, including potentially different order allocations. This violates fundamental memory safety principles and creates opportunities for both data integrity violations and potential privilege escalation vectors. The vulnerability aligns with CWE-416 which describes use-after-free conditions, and represents a failure in proper memory lifecycle management within the kernel's device memory handling code.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially compromise system stability and security. An attacker who can manipulate device driver behavior or trigger specific memory allocation patterns may be able to exploit this race condition to execute arbitrary code within kernel space or cause denial of service conditions. The vulnerability affects systems that utilize device memory mapping features such as persistent memory devices, gpu memory management, or other hardware that requires special memory handling through the zone_device subsystem. This could lead to privilege escalation attacks where malicious actors gain elevated privileges by corrupting kernel memory structures, or system crashes that result in complete system downtime. The vulnerability's impact is particularly concerning in server environments where stability and security are paramount.
Mitigation strategies should focus on ensuring proper synchronization between kernel memory management and device driver operations, with immediate patching of affected kernel versions being the primary recommendation. The fix involves modifying the code to use stack variables rather than accessing the freed folio structure after ->folio_free() is called, effectively preventing the use-after-free scenario. System administrators should implement kernel updates as soon as patches become available, and organizations should conduct thorough testing of kernel updates in staging environments before deployment. Additionally, monitoring for unusual memory allocation patterns or device driver behavior may help detect exploitation attempts. The fix aligns with ATT&CK technique T1068 which covers privilege escalation through kernel vulnerabilities, and represents a defensive measure against memory corruption attacks that leverage improper resource management. Organizations should also consider implementing memory safety monitoring tools and regular security assessments to identify similar vulnerabilities in their kernel-based systems.