HIGH 7.8

CVE-2026-46277: Linux Kernel Zone Device Use-After-Free Privilege Escalation

A vulnerability in the Linux kernel's memory zone device handling allows local attackers with limited privileges to gain elevated access and potentially crash the system. The issue stems from unsafe memory access patterns where the kernel reads from a memory structure (folio) after it has been freed by a device driver, potentially allowing the memory to be reallocated and repurposed. An attacker can exploit this race condition to read sensitive data, modify kernel state, or trigger a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mm/zone_device: do not touch device folio after calling ->folio_free() The contents of a device folio can immediately change after calling ->folio_free(), as the folio may be reallocated by a driver with a different order. Instead of touching the folio again to extract the pgmap, use the local stack variable when calling percpu_ref_put_many().

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46277 addresses a use-after-free vulnerability in mm/zone_device.c where the kernel accesses a device folio after invoking the driver's ->folio_free() callback. The vulnerability occurs because device folios can be immediately reallocated by drivers with different memory orders following deallocation. The fix replaces the unsafe post-free folio dereference with a cached pgmap pointer stored on the local stack, eliminating the race condition when calling percpu_ref_put_many(). This ensures reference counting operations complete before memory state changes.

Business impact

Organizations running Linux systems face elevated security risk from local attackers. The vulnerability enables privilege escalation from unprivileged user accounts, information disclosure of kernel memory contents, and system instability through crashes. This is particularly concerning in multi-tenant environments, containerized deployments, and systems where unprivileged users have local shell access. Affected workloads include cloud infrastructure, shared hosting platforms, and development systems.

Affected systems

The Linux kernel is affected. The vulnerability impacts systems using device folios and zone device memory management, which is common in GPU support, persistent memory (PMEM) drivers, and other device-memory-dependent subsystems. Any Linux distribution shipping an affected kernel version is vulnerable if accessed by local users with standard privileges.

Exploitability

Exploitation requires local access and unprivileged user-level execution privileges. The attack surface is moderate because an attacker must understand kernel memory layout and timing to reliably trigger the use-after-free window. However, modern exploitation techniques and kernel ASLR bypasses may reduce the practical difficulty. The race condition window is narrow but exploitable through repeated access patterns or by manipulating device driver behavior.

Remediation

Apply the Linux kernel patch that replaces unsafe folio post-free access with the cached stack-based pgmap variable. Verify the patched kernel version from your Linux distribution's security advisory. Reboot systems to activate the patched kernel. Organizations should prioritize patching across all Linux systems where unprivileged users have local access.

Patch guidance

Monitor your Linux distribution's security repository for kernel updates addressing this vulnerability. Patch availability depends on your vendor (Red Hat, Canonical, SUSE, etc.); check your distribution's CVE tracking pages for specific kernel version numbers containing the fix. Test patches in a staging environment before production deployment, particularly for critical infrastructure. Coordinate reboots to minimize operational impact.

Detection guidance

Detection is difficult at runtime since the vulnerability is a logic flaw rather than a visible malfunction. Monitor system logs for unexpected kernel panics or memory corruption symptoms in conjunction with unusual device driver activity. Kernel-based intrusion detection systems with memory-access monitoring may catch exploitation attempts. Audit local user access patterns to identify suspicious or automated account activity. Monitor for unusual ioctl calls to device drivers managing zone memory.

Why prioritize this

HIGH severity (CVSS 7.8) warrants prioritized remediation despite lack of KEV listing. Local privilege escalation combined with information disclosure and denial-of-service impact makes this a significant risk for multi-user and cloud systems. Organizations with strict least-privilege policies may face lower risk, but the ease of exploitation through standard user accounts justifies rapid patching.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector requiring unprivileged privileges, low attack complexity, and high impact across confidentiality, integrity, and availability. The vulnerability enables complete system compromise from an unprivileged position, justifying the elevated rating. The absence from the CISA Known Exploited Vulnerabilities catalog does not reduce severity, as active exploitation may not yet be publicly documented.

Frequently asked questions

Does this vulnerability require physical access to exploit?

No. The vulnerability requires only local login access as a standard unprivileged user. Physical access is not necessary, making it exploitable remotely on systems offering SSH access or other remote login mechanisms.

Are containers protected if the host kernel is patched?

Yes. Containerized workloads inherit the host kernel; patching the host kernel protects all containers. However, containers with privileged capabilities or kernel module loading may face additional risk vectors.

Which Linux distributions are affected?

All distributions shipping an unpatched Linux kernel are vulnerable. Check your vendor's security advisories (Red Hat, Canonical, SUSE, Fedora, etc.) for specific patched kernel version numbers and availability timelines.

Can this be mitigated without patching?

Limiting local user access and disabling device driver functionality may reduce risk, but neither is a complete mitigation. Kernel patching is the definitive remediation.

This analysis is based on publicly available CVE information as of the publication date. Exploit code and weaponized proof-of-concepts are not provided. Organizations should verify patch availability and version numbers against their Linux vendor's official security advisories before deployment. SEC.co does not provide warranty regarding the completeness or accuracy of this analysis; use at your own risk and consult with your security team for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).