In the Linux kernel, the following vulnerability has been resolved:
lib: test_hmm: evict device pages on file close to avoid use-after-free
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special thanks to Lorenzo for analysing and
pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but
doesn't migrate device private pages back to system memory first. This
leaves those pages with a dangling zone_device_data pointer to the freed
dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the
dmirror_devmem_fault() callback dereferences the stale pointer causing a
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,
where a test failure triggered SIGABRT and the resulting coredump walked
the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in
dmirror_fops_release() to migrate all device private pages back to system
memory before freeing the dmirror struct. The function is moved earlier
in the file to avoid a forward declaration.
References
Configurations
Configuration 1 (hide)
|
History
08 Jul 2026, 15:01
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Linux linux Kernel
Linux |
|
| CWE | CWE-416 | |
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| References | () https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89 - Patch | |
| References | () https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3 - Patch | |
| References | () https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0 - Patch | |
| References | () https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144 - Patch | |
| References | () https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1 - Patch | |
| References | () https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239 - Patch |
19 Jun 2026, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
14 Jun 2026, 06:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
08 Jun 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-08 17:16
Updated : 2026-07-08 15:01
NVD link : CVE-2026-46280
Mitre link : CVE-2026-46280
CVE.ORG link : CVE-2026-46280
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free
