HIGH 7.8

CVE-2026-46121

A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically in how it manages memory cgroup path strings through its sysfs interface. When users read and write the 'memcg_path' file concurrently using separate file handles, a race condition can occur where one process reads a pointer to memory that another process has already freed. This allows an attacker with local access to crash the system or potentially execute code with kernel privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
7 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path". Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free. Fix those. This patch (of 2): damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46121 is a use-after-free (CWE-416) flaw in mm/damon/sysfs-schemes affecting the damon_sysfs_scheme_filter structure's memcg_path field. The vulnerability arises from inadequate synchronization between user-space reads and writes via the DAMON sysfs interface. While parameter commits to DAMON are protected by damon_sysfs_lock, direct user-driven sysfs file operations on memcg_path lack lock protection. A write operation deallocates the buffer pointed to by memcg_path without serialization, enabling concurrent reads to dereference freed memory. The kernfs per-file-handle locking prevents races when the same open file descriptor is used, but separate file handles from different processes bypass this protection.

Business impact

This vulnerability could allow local privileged users (with write access to DAMON sysfs files) to trigger kernel memory corruption, leading to denial of service through system crashes or unexpected behavior. While the attack surface is somewhat limited to systems with DAMON enabled and accessible sysfs controls, the HIGH CVSS score (7.8) reflects the combination of local privilege requirement and potential for confidentiality and integrity impact beyond availability. Organizations running custom kernel configurations or containerized workloads that leverage DAMON for monitoring face elevated risk.

Affected systems

All Linux kernel versions containing the DAMON sysfs-schemes subsystem are affected. This includes mainstream distributions and custom kernels where DAMON is compiled in (CONFIG_DAMON_SYSFS). The vulnerability is particularly relevant to systems using kernel-based workload monitoring, performance analysis tools that interface with DAMON, or containerized environments where memory cgroup management is active.

Exploitability

Exploitation requires local access with privileges sufficient to write to DAMON sysfs interface files, typically requiring unprivileged or local user status depending on file permissions. The race condition is deterministic if attackers can coordinate concurrent read and write operations on the memcg_path file descriptor. No complex exploitation techniques or specific timing windows are documented as required; the underlying flaw is inherent to the unsynchronized access pattern. This vulnerability is not currently tracked in the CISA KEV catalog.

Remediation

The fix involves wrapping both user-direct reads and writes to the memcg_path file with damon_sysfs_lock mutual exclusion, ensuring that memory deallocation and access are serialized. This aligns the sysfs file operations with the locking already applied to parameter commits. Organizations should prioritize patching kernel versions post-fix to eliminate the race condition.

Patch guidance

Verify the Linux kernel advisory or your distribution's security bulletin for patched versions addressing CVE-2026-46121. Apply kernel updates as they become available from your vendor. If kernel recompilation is performed in-house, ensure damon_sysfs_lock protection is applied to both read and write paths of the memcg_path handling code. Test patched kernels in non-production environments before broad deployment to confirm DAMON functionality remains intact.

Detection guidance

Monitor system logs for kernel warnings or crashes related to DAMON sysfs operations, particularly memory access violations or use-after-free detector output if KASAN (Kernel Address Sanitizer) is enabled. Audit access patterns to /sys/kernel/debug/damon/ sysfs paths, looking for concurrent read-write operations on memcg_path files from different processes. Kernel crash dumps indicating freed memory dereference in DAMON code paths are potential indicators of exploitation attempts.

Why prioritize this

Although this flaw requires local access and is not yet widely exploited (absent from KEV), the HIGH CVSS score and the widespread nature of Linux kernel deployments make timely patching important. Organizations with DAMON-dependent workloads, strict kernel hardening policies, or multi-tenant systems where user isolation is critical should prioritize this patch. Systems without DAMON enabled face negligible risk and can defer patching to regular maintenance cycles.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L), low attack complexity (AC:L), requiring low privilege (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score accurately captures the kernel-level memory corruption potential and the consequence of a successful exploit, balanced against the local-only access requirement.

Frequently asked questions

What systems are at highest risk from this vulnerability?

Systems with DAMON enabled (CONFIG_DAMON_SYSFS compiled in) that permit unprivileged or low-privileged users to access DAMON sysfs files face the highest risk. This includes specialized performance-monitoring setups, containerized environments using kernel-based memory cgroup tracking, and research or development systems where kernel subsystems are broadly exposed. Standard desktop and server deployments without explicit DAMON enablement are unaffected.

Does this require root privileges to exploit?

No. The vulnerability can be triggered by users with local access and sufficient privileges to write to DAMON sysfs files, typically unprivileged or low-privilege local users depending on file permissions. Escalation to root or kernel execution is not a prerequisite for triggering the use-after-free, though the consequence (kernel memory corruption) may vary based on attacker capabilities.

Can this be exploited remotely?

No. CVE-2026-46121 is strictly a local vulnerability requiring direct access to the Linux system and the ability to interact with the DAMON sysfs interface. Remote exploitation is not possible without prior local access compromise.

Is there a workaround if I cannot patch immediately?

If kernel patching is delayed, consider disabling DAMON at compile time (CONFIG_DAMON_SYSFS=n) or restricting sysfs access via file permissions and security modules (SELinux, AppArmor) to limit exposure to trusted processes only. Monitoring for concurrent sysfs file access patterns can provide additional detective controls. However, patching remains the definitive remediation.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. CVSS scores and severity assessments are based on vendor advisories and should be validated against your organization's threat model. Patch availability and version numbers vary by Linux distribution; consult your vendor's security bulletin for specific guidance. SEC.co does not warrant the completeness or accuracy of remediation steps and recommends validation in a controlled environment before production deployment. No exploit code or weaponization details are provided or endorsed herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10012HIGH

    CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)

  • CVE-2026-10013HIGH

    CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment

  • CVE-2026-10016HIGH

    CVE-2026-10016: Use-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability

  • CVE-2026-10882HIGH

    CVE-2026-10882: Critical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance