CVE-2026-46280: Linux Kernel HMM Use-After-Free in Device Memory Handling
A vulnerability exists in the Linux kernel's HMM (Heterogeneous Memory Management) testing module where device memory pages are not properly returned to system memory when a test file is closed. This creates a situation where the kernel retains references to freed memory structures. If the system later tries to access those orphaned pages—such as during a crash dump—it will attempt to dereference invalid memory pointers, causing a kernel panic. The issue was observed on ARM64 systems during automated testing.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: lib: test_hmm: evict device pages on file close to avoid use-after-free Patch series "Minor hmm_test fixes and cleanups". Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems. This patch (of 3): When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages. Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46280 is a use-after-free vulnerability in lib/test_hmm.c. The dmirror_fops_release() function frees the dmirror struct without first migrating device private pages (marked with zone_device_data pointers) back to system memory. When a subsequent page fault occurs on these device pages—particularly during coredump processing—the dmirror_devmem_fault() callback dereferences a stale pointer to the freed dmirror struct, triggering a kernel panic. The fix involves invoking dmirror_device_evict_chunk() during file release to ensure all device memory pages are evicted and migrated to system RAM before struct deallocation.
Business impact
This vulnerability affects systems running affected Linux kernel versions that utilize HMM features for GPU or accelerator memory management, particularly on ARM64 architectures. While triggered in a test module context, the underlying code patterns may affect production HMM implementations. The primary risk is unplanned kernel crashes during memory fault handling or system diagnostics (coredumps), which can cause service disruption and complicate post-incident analysis. Systems relying on HMM for heterogeneous compute workloads should prioritize remediation to prevent crash-induced downtime.
Affected systems
The vulnerability resides in the Linux kernel HMM test module (lib/test_hmm.c) and affects Linux kernel versions containing this code path. ARM64 systems running automated HMM tests are confirmed vulnerable. Any production kernel with similar HMM memory management patterns in user-facing code could be at risk, though the reported vector is specifically the testing harness. Desktop, server, and embedded systems running vulnerable kernel versions are in scope.
Exploitability
Exploitation requires local access to trigger the vulnerability, as indicated by the CVSS vector (AV:L, PR:L). An authenticated local user must interact with the HMM test module (or equivalent production code) in a way that causes device pages to persist after file closure, followed by a fault condition (coredump, page migration, or memory access). The crash is not easily triggered in typical workloads but reliably reproduces during test execution or system diagnostics. No remote exploitation path exists.
Remediation
Apply the kernel patch that modifies dmirror_fops_release() to call dmirror_device_evict_chunk() for each device memory chunk prior to freeing the dmirror struct. This ensures all device private pages are migrated back to system memory, eliminating dangling pointers. The patch also relocates dmirror_device_evict_chunk() earlier in the file to avoid forward declaration. Verify the fix against the Linux kernel stable branches corresponding to your deployed versions.
Patch guidance
Identify your Linux kernel version and check the upstream kernel repository for the HMM test module fix (part of a 3-patch series addressing HMM test issues). Backports may be available for stable and LTS branches. Testing on ARM64 systems is recommended given the platform-specific reproduction conditions. Validate that the patch includes the eviction call in dmirror_fops_release() and that device pages are properly migrated before struct deallocation.
Detection guidance
Monitor kernel logs for page fault panics referencing dmirror_devmem_fault() or zone_device_data corruption, especially following test execution or coredump generation. If HMM is active on your systems, audit for use of lib/test_hmm module in production—it should only be present in test/development environments. Enable kernel debugging (CONFIG_DEBUG_PAGEALLOC, CONFIG_KASAN) in test environments to catch use-after-free earlier. Check for kernel crashes with stack traces mentioning dev_pagemap or device private page handling.
Why prioritize this
A CVSS 7.8 HIGH severity local use-after-free vulnerability warrants prompt attention, particularly for ARM64 infrastructure and any systems where HMM is actively used. While exploitation requires local access and specific trigger conditions, the consequence—kernel panic—is severe for availability and incident response workflows. The narrow attack surface (local, authenticated) and test-module origin reduce business risk for production deployments, but systems with HMM enabled or running kernel selftests should prioritize patching.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a local vulnerability with low attack complexity, requiring low privilege and no user interaction. The impact is complete across confidentiality, integrity, and availability due to the kernel panic and potential memory corruption. The scope is unchanged (local only). The score is appropriate given the severity of kernel crashes but appropriately discounted by the local-only attack vector.
Frequently asked questions
Is this vulnerability exploitable remotely?
No. The vulnerability requires local access to the system and authenticated user privileges. It cannot be triggered over the network.
What systems are truly at risk in production?
Primarily systems running HMM features for GPU or accelerator memory offloading on ARM64 architectures. The reported vulnerability is in the test module, but similar patterns in production HMM code could pose risk. Desktop and server systems without active HMM workloads are at lower risk.
What happens if I don't patch this?
Unpatched systems may experience kernel panics when device private pages are accessed after the HMM module is unloaded or test files are closed, particularly during system diagnostics or coredumps. This causes service disruption and can interfere with post-incident analysis.
Do I need to patch if I don't use HMM?
If HMM is disabled or not in use on your systems, this vulnerability poses minimal risk. Verify that CONFIG_HMM and lib/test_hmm are not active in your kernel configuration.
This analysis is based on publicly available vulnerability data and kernel source information. Specific patch version numbers and backport availability should be verified against the Linux kernel stable branch repositories and your vendor's security advisories. Testing in a non-production environment is strongly recommended before applying patches. This vulnerability has not been added to the CISA KEV catalog. No public exploits are known at the time of analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance