CVE-2026-46280

In the Linux kernel, the following vulnerability has been resolved: lib: test_hmm: evict device pages on file close to avoid use-after-free Patch series "Minor hmm_test fixes and cleanups". Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems. This patch (of 3): When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages. Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

08 Jul 2026, 15:01

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CWE CWE-416
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89 - () https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89 - Patch
References () https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3 - () https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3 - Patch
References () https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0 - () https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0 - Patch
References () https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144 - () https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144 - Patch
References () https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1 - () https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1 - Patch
References () https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239 - () https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239 - Patch

19 Jun 2026, 13:16

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89 -

14 Jun 2026, 06:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8

08 Jun 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-08 17:16

Updated : 2026-07-08 15:01


NVD link : CVE-2026-46280

Mitre link : CVE-2026-46280

CVE.ORG link : CVE-2026-46280


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free