CVE-2026-46183: Linux DAMON Use-After-Free Race Condition (CVSS 7.8)
A race condition exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem where multiple processes can simultaneously read and write to a shared memory path variable without proper synchronization. When one process deallocates this buffer while another is reading it, the reader accesses freed memory—a use-after-free condition. The vulnerability requires local system access and standard user privileges to exploit, but grants attackers the ability to read sensitive kernel memory, corrupt data structures, or crash the system. This is a classic synchronization flaw that occurs when direct user-driven file operations bypass the locking mechanisms protecting background parameter-commit operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-415
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46183 is a use-after-free vulnerability in the Linux kernel's DAMON sysfs interface, specifically in the damon_sysfs_quot_goal->path handler. The vulnerability stems from incomplete lock protection: while indirect reads of the path variable (during parameter commits to DAMON) are guarded by damon_sysfs_lock, direct user reads and writes via the DAMON sysfs 'path' file lack synchronization. When a user performs a write operation that deallocates the buffer, concurrent readers—particularly those using separate file descriptors—can dereference the freed memory. Although kernfs's open-file locking prevents races within a single file handle, opening the file separately circumvents this protection. The fix applies damon_sysfs_lock to both user-direct reads and writes, ensuring consistent serialization across all access patterns.
Business impact
This vulnerability affects system reliability and security posture on machines running vulnerable Linux kernel versions. Attackers with local access can exploit it to extract sensitive information from kernel memory, potentially exposing cryptographic keys, authentication tokens, or other privileged data. The ability to corrupt kernel data structures or trigger kernel panics creates denial-of-service risk, disrupting critical services. For organizations deploying DAMON for performance monitoring or running kernels with this subsystem enabled, patching is necessary to restore stability and prevent information disclosure through unprivileged process abuse.
Affected systems
Any Linux system running a vulnerable kernel version with the DAMON (Data Access Monitoring) subsystem enabled. DAMON functionality is typically found in modern kernels used for performance tuning and memory access analysis. Systems with unprivileged user accounts that can access sysfs are at risk, as the vulnerability requires only standard local user privileges (PR:L) to trigger. Embedded systems, workstations, and servers where DAMON is compiled in or loaded as a module are in scope.
Exploitability
Exploitability is straightforward for local attackers. The vulnerability requires local access (AV:L) and low privileges (PR:L), with no user interaction needed (UI:N). An attacker can craft a simple multi-threaded or multi-process program that opens the DAMON sysfs 'path' file in separate file descriptors, performing concurrent read and write operations to trigger the race condition. No special kernel knowledge, exploit kit, or advanced techniques are required. The exposure is high because the race window, though small, is reliably reproducible through repeated attempts.
Remediation
Apply the Linux kernel patch that wraps both user-direct reads and writes of the damon_sysfs_quot_goal->path variable with damon_sysfs_lock. This synchronization fix ensures that all access patterns—user-direct and indirect (parameter commits)—are serialized, eliminating the race condition. Organizations should verify the patch version against their kernel branch and distributor advisory. Distributions including Red Hat, Ubuntu, Debian, and others will backport this fix to their supported kernel versions; consult vendor security advisories for specific version numbers and timelines.
Patch guidance
Monitor your Linux distribution's security advisory channels for kernel updates addressing CVE-2026-46183. Major distributions typically backport critical synchronization fixes promptly. Verify the patch is included in candidate kernel versions before deployment. If your kernel is built in-house, apply the upstream fix directly to the mm/damon/sysfs-schemes.c file. Testing in a non-production environment is recommended to ensure compatibility with custom configurations or downstream patches. Consider staging the patch in a rolling update to minimize service disruption.
Detection guidance
Kernel panic logs or crash dumps mentioning DAMON sysfs handlers or use-after-free conditions may indicate exploitation attempts. Monitor system call traces for repeated open/close sequences on DAMON sysfs files combined with concurrent read/write operations—a pattern inconsistent with normal usage. Memory sanitizers (KASAN) enabled in debug kernels will reliably detect use-after-free access and flag the exploit immediately. Review sysfs access patterns in environments where unprivileged users have direct access to /sys/kernel/debug/damon or similar interfaces. Log failed kernel pointer dereferences or memory protection faults tied to DAMON handlers.
Why prioritize this
This vulnerability rates HIGH (CVSS 7.8) due to the confluence of ease of exploitation, local privilege escalation potential, and confidentiality/integrity/availability impact. While it requires local access, the low privilege barrier and straightforward triggering make it accessible to any non-root user. The use-after-free condition can lead to information disclosure, privilege escalation, or kernel compromise. For organizations with multi-tenant systems, shared hosting platforms, or open-access workstations, this represents a material risk to kernel stability and data security. Prioritize patching systems where DAMON is actively used or where unprivileged user access is routine.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) reflects attack vector of local (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), and no user interaction (UI:N), yielding a base score of 8.8. Scope is unchanged (S:U), and all impact metrics—confidentiality (C:H), integrity (I:H), and availability (A:H)—are high, confirming the elevated severity. The score assumes a typical attack surface where local users exist and can perform system calls. Environments with stricter user isolation or disabled DAMON may see lower practical risk, but the intrinsic vulnerability severity remains HIGH.
Frequently asked questions
Does this vulnerability require root privileges to exploit?
No. The vulnerability requires only standard local user privileges (PR:L in the CVSS vector). Any user on the system who can open and interact with sysfs files can craft the race condition. This makes it more accessible than many kernel bugs that demand root-level capability.
How does this differ from other use-after-free bugs in the kernel?
The distinction here is the incomplete protection pattern: some code paths (parameter commits) were protected by locks, but user-direct operations bypassed those locks. This partial protection created a false sense of safety. It's a good reminder that synchronization must be comprehensive across all access patterns, not just background operations.
If I don't use DAMON, am I still affected?
Technically, the code is present in all current Linux kernels. However, if DAMON is disabled at boot time or never interacted with, the attack surface is minimal. Distributions may allow sysfs access by default, so verify your sysfs permissions and DAMON configuration. Most users will benefit from patching regardless, as kernel updates often bundle multiple fixes.
Can this be exploited remotely?
No. The CVSS vector explicitly states AV:L (attack vector local), meaning the attacker must have local code execution capability on the target system. Remote exploitation is not feasible for this vulnerability alone, though it could be chained with other bugs to escalate an initial foothold.
This analysis is provided for informational purposes to assist in vulnerability assessment and patching prioritization. It is not a substitute for official vendor advisories or technical documentation. CVSS scores and vulnerability classifications are derived from authoritative sources and reflect general risk; actual organizational impact may vary based on deployment, configuration, and compensating controls. Verify all patch versions and compatibility against vendor release notes before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for decisions made on its basis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46129HIGHLinux Kernel Btrfs Double-Free Memory Corruption – Privilege Escalation
- CVE-2026-46162HIGHLinux ice Driver Double-Free Kernel Vulnerability — Privilege Escalation Risk
- CVE-2026-46164HIGHLinux Btrfs Double-Free Kernel Vulnerability – Patch Guidance
- CVE-2026-46189HIGHLinux Kernel RDMA vmw_pvrdma Double Free Vulnerability
- CVE-2026-44422HIGHFreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)
- CVE-2026-45324LOWRizin Double Free Vulnerability in byte_pattern_search()
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)