HIGH 7.8

CVE-2026-46285: Linux Kernel docg3 Use-After-Free Vulnerability – Patch Guidance

A use-after-free memory safety bug exists in the Linux kernel's docg3 driver (NAND flash memory controller). When the driver is unloaded or a device is released, a pointer to the main docg3 structure is dereferenced after the memory it points to has already been freed. This can lead to a crash or, in certain conditions, potential code execution. The fix is straightforward: use an already-available pointer to the cascade structure instead of trying to access the freed docg3 object.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46285 is a use-after-free (CWE-416) vulnerability in docg3_release() within the Linux kernel's MTD (Memory Technology Devices) docg3 driver. The bug occurs because docg3 is dereferenced via cascade->floors[0]->priv, then doc_release_device() is called in a loop, which eventually frees the docg3 struct via kfree() at line 1881. After the loop completes, the code attempts to access docg3->cascade->bch, referencing memory that has been freed. The cascade pointer is already available as a local variable and contains the same bch member, making the freed dereference unnecessary. The patch eliminates the unsafe docg3 dereference by accessing cascade->bch directly.

Business impact

Systems running affected Linux kernel versions with docg3 driver support (primarily embedded or specialized storage devices using DiskOnChip NAND flash) face denial-of-service risk when the driver is unloaded or the device is released. The HIGH severity rating reflects the potential for local privilege escalation on multi-user systems, since the vulnerability requires local access and the CVSS vector indicates high confidentiality, integrity, and availability impact. On systems where docg3 hardware is not present or the driver is not loaded, impact is minimal.

Affected systems

The Linux kernel is affected. Specific impact depends on kernel version and whether the docg3 driver is compiled in or loaded as a module. Systems using DiskOnChip NAND storage controllers, including some industrial, embedded, or legacy storage systems, are most likely to be affected. Verify your kernel version and driver configuration against the vendor advisory or your distribution's kernel package information.

Exploitability

Exploitation requires local access (AV:L) and the ability to trigger driver unload or device release, which typically requires unprivileged user privileges (PR:L). No elevated privileges are needed to initiate the release. The vulnerability is reliably triggerable—once conditions are met, the use-after-free is almost certain to occur. No complex manipulation or race conditions are required. Public exploit code is unlikely to exist given this is a memory safety issue rather than a logical flaw, but proof-of-concept code demonstrating the crash is straightforward for researchers with kernel debugging knowledge.

Remediation

Apply patches provided by your Linux distribution or compile an updated kernel with the fix applied. The remedy requires no configuration changes—simply updating to a patched kernel version is sufficient. Systems running unaffected kernel versions or lacking the docg3 driver do not require action. Downstream distributions and vendors should have backported fixes available; verify availability for your specific kernel branch and distribution.

Patch guidance

Consult your Linux distribution's security advisories for patched kernel versions. Stable, long-term support (LTS) kernel branches and major distributions have released or will release updates. For distributions not yet publishing patches, monitor your vendor's security page or subscribe to kernel mailing list notifications. If compiling custom kernels, apply the fix directly: replace the docg3 dereference with direct cascade->bch access as described in the upstream commit. Test the patched kernel in a non-production environment before deployment, especially on systems dependent on docg3 hardware.

Detection guidance

Monitor system logs for docg3 driver panic or NULL pointer dereference messages coinciding with driver unload or device release operations. Kernel crash dumps (if configured) may show stack traces containing docg3_release() and doc_release_device(). Security information and event management (SIEM) systems ingesting kernel audit logs can trigger on driver unload events. Intrusion detection systems are unlikely to detect this vulnerability in transit, as it requires local execution. The most practical detection method is reviewing kernel logs after the system has experienced an unplanned reboot or crash and correlating timestamps with docg3 driver operations.

Why prioritize this

Prioritize this vulnerability if your systems run the docg3 driver, particularly in multi-user or high-availability environments where a crash constitutes a significant availability impact. The HIGH CVSS score reflects realistic privilege escalation and system compromise risk. However, if docg3 is not used (absent from your hardware or disabled in kernel configuration), remediation priority is lower. Organizations should assess hardware inventory and kernel configurations to determine true affected asset count before allocating resources.

Risk score, explained

CVSS v3.1 score of 7.8 (HIGH) is justified by: AV:L (attack requires local system access, not remote), AC:L (trivial to trigger once local access is gained), PR:L (unprivileged user can cause the release), UI:N (no user interaction required), and impact scores C:H/I:H/A:H (confidentiality, integrity, and availability all fully compromised on affected systems). The use-after-free can lead to information disclosure, privilege escalation, or denial of service depending on heap memory state and attacker capability. The local-only attack vector prevents remote exploitation but does not diminish the severity for systems where docg3 is active.

Frequently asked questions

Does this vulnerability affect my system if I do not use DiskOnChip NAND storage?

No, not directly. If your system does not have docg3 hardware and the driver is not loaded or compiled into the kernel, this vulnerability cannot be triggered. Check your kernel configuration (typically in /boot/config-* on Linux) for CONFIG_MTD_DOCG3. If it is not present or set to 'n', you are unaffected.

Can this vulnerability be exploited remotely?

No. The CVSS vector specifies AV:L (Attack Vector: Local), meaning an attacker must have local system access to trigger the use-after-free. Remote attackers cannot exploit this vulnerability directly.

What is the difference between applying a distribution patch and compiling a custom kernel fix?

Distribution patches (from your Linux vendor) are tested and optimized for your specific kernel branch and hardware. Custom kernel compilation ensures you have the fix but requires more testing and may introduce incompatibilities if not done carefully. For most users, waiting for and applying distribution patches is the safer approach. Custom compilation is appropriate if your vendor has not yet released a patch and your risk tolerance justifies the testing effort.

If I cannot patch immediately, are there workarounds?

No reliable workaround exists other than ensuring the docg3 driver is not loaded or used. If the driver is a module, it can be blacklisted in your kernel boot parameters or module configuration to prevent loading. If it is compiled in, only a kernel rebuild or upgrade will fully mitigate the vulnerability. If docg3 hardware is present but not actively used, keeping the driver unloaded is the most effective interim risk reduction.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. SEC.co does not guarantee the accuracy of vendor patch versions, release dates, or compatibility information; always verify against official vendor advisories before deployment. Proof-of-concept code is not provided in this document. Organizations are responsible for testing patches in their own environments before production rollout. This vulnerability analysis does not constitute legal, compliance, or investment advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).