HIGH 8.4

CVE-2026-46288: Linux Kernel Use-After-Free in OF Unit Test Code

CVE-2026-46288 is a use-after-free memory safety bug in the Linux kernel's device tree unit testing code. The vulnerability occurs because the code releases memory for a data structure but then continues to access that same memory through another variable pointing to the same location. This can lead to crashes, information disclosure, or potentially arbitrary code execution with local access. The issue is confined to kernel test infrastructure rather than production device tree handling, limiting its practical exposure, but it demonstrates a common class of memory management errors that merit fixing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free. Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

In the of_unittest_changeset() function within the kernel's device tree subsystem, the variable 'parent' is assigned a reference to 'nchangeset', making both point to the same struct device_node. An of_node_put(nchangeset) call decrements the reference count and may deallocate the underlying node if no other references remain. Subsequently, the code accesses 'parent' to check for properties and read string values, triggering a use-after-free condition. The fix involves relocating the of_node_put() call to after all accesses to 'parent', restoring proper reference counting semantics and preventing access to freed memory.

Business impact

This vulnerability affects Linux kernel maintainers and organizations running kernel unit tests in development or CI/CD environments. While the affected code path is test-only (not a production code flow), the underlying memory management pattern it exemplifies is critical for kernel reliability. Systems running custom kernel builds with CONFIG_OF_UNITTEST enabled in test scenarios could experience kernel panics or memory corruption if the code path is exercised. For most production deployments with standard kernel configurations, the practical exposure is minimal, as unit tests are typically disabled or not executed during normal system operation.

Affected systems

The vulnerability resides in the Linux kernel device tree (OF) unit testing framework. It is only exposed in kernel builds that include and execute the OF_UNITTEST code path, typically in development kernels or CI/CD test environments. Production systems running standard kernel builds with unit tests disabled are not affected. The issue affects multiple Linux kernel versions prior to patching; check your kernel version against the vendor's advisory for specific affected ranges.

Exploitability

Exploitability requires local access and the ability to trigger the of_unittest_changeset() function, which is not part of the normal kernel runtime—it is a test-time facility. The vulnerability cannot be triggered remotely or without executing test code explicitly. However, once the test is run, the use-after-free can lead to kernel memory corruption. The CVSS 3.1 score of 8.4 (HIGH) reflects the severity of the impact if exploited: high confidentiality, integrity, and availability consequences due to the memory safety nature of the flaw.

Remediation

Update the Linux kernel to a patched version addressing CVE-2026-46288. The fix is straightforward: relocating the of_node_put() call to after the last access to 'parent' in of_unittest_changeset(). Verify the specific kernel version containing the patch against the official Linux kernel security advisories or your distribution's security notices. For systems where the OF_UNITTEST code is not compiled or used, the exposure is reduced, though patching is still recommended for completeness.

Patch guidance

Apply the official Linux kernel patch for CVE-2026-46288 as published by the Linux kernel maintainers. Kernel distributions (Ubuntu, Red Hat, Debian, etc.) will release updated kernel packages; check your distribution's security advisory page for the affected versions and available updates. Test the patched kernel in a non-production environment before deployment. If you maintain custom kernels, verify that the patch has been cherry-picked or merged into your build.

Detection guidance

Monitor kernel logs and crash dumps for panics or memory corruption originating from the device tree or OF subsystem code paths. Systems executing kernel unit tests with OF_UNITTEST enabled should be audited to confirm test execution and any associated errors. Use KASAN (Kernel Address Sanitizer) or similar debugging tools in test environments to detect use-after-free conditions earlier in development. Check your kernel build configuration to confirm whether CONFIG_OF_UNITTEST is enabled; if not, the attack surface is eliminated.

Why prioritize this

While the CVSS score is HIGH (8.4), the practical prioritization depends on your environment. If you run production systems with standard kernel builds, this is lower priority because unit tests are not part of the normal runtime. However, if you maintain kernel development builds, CI/CD test suites, or custom kernels with testing enabled, this should be prioritized as it can cause system instability and data corruption. The memory safety implications and the simplicity of the fix warrant prompt remediation in development and test environments.

Risk score, explained

The CVSS 3.1 score of 8.4 (HIGH) reflects the attack vector (local), complexity (low), and impact (high across confidentiality, integrity, and availability). The score is appropriate for a use-after-free flaw that can corrupt kernel memory and crash the system. However, the practical risk is moderated by the fact that this is test code, not production code path, and requires explicit execution of unit tests to trigger. Organizations should adjust their internal risk rating based on whether unit test code is present and executed in their kernel configurations.

Frequently asked questions

Does this vulnerability affect my production Linux system?

Unlikely, unless you explicitly compiled your kernel with CONFIG_OF_UNITTEST enabled and are running kernel unit tests in production (which is rare). Most production kernels disable unit testing code. Check your kernel configuration with 'cat /boot/config-$(uname -r) | grep CONFIG_OF_UNITTEST' to determine your exposure.

What is a use-after-free and why is it serious?

A use-after-free occurs when code accesses memory after it has been deallocated. This can lead to reading or writing to memory that now contains other data, causing crashes, information disclosure, or code execution. In kernel code, it is particularly serious because it can corrupt kernel state and compromise system integrity.

How do I patch this on my system?

Update your Linux kernel to the patched version released by your distribution (Ubuntu, Red Hat, Debian, etc.) or the upstream Linux kernel project. Use your package manager (apt, yum, dnf) to install available security updates, then reboot. Verify the patch by checking the kernel version and reviewing security advisories from your vendor.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local access and execution of the of_unittest_changeset() function, which is only available in kernel test code. Remote attackers cannot trigger this flaw. However, local users or test scripts with kernel execution privileges could potentially exploit it if unit tests are enabled.

This analysis is provided for informational and educational purposes. The vulnerability details, CVSS score, affected products, and patch information are based on official Linux kernel advisories and public records as of the publication date. Organizations should verify all patch versions, compatibility, and deployment procedures against their distribution's official security advisories before applying updates. No exploit code or detailed attack procedures are provided. Testing should be performed in non-production environments before deploying patches to production systems. SEC.co and its analysts make no warranty regarding the accuracy, completeness, or suitability of this information for any particular use case. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).