CVE-2026-46308: Linux Kernel MediaTek Use-After-Free Privilege Escalation
A use-after-free vulnerability exists in the Linux kernel's power domain management code for MediaTek processors. The vulnerable function releases a device node reference too early, before checking if a subsequent operation failed. If that operation fails, error-handling code attempts to read the already-freed memory to generate a diagnostic message, potentially causing a crash or memory corruption. An attacker with local system access could exploit this to elevate privileges or cause a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() In scpsys_get_bus_protection_legacy(), of_find_node_with_property() returns a device node with its reference count incremented. The function then calls of_node_put(node) before checking whether syscon_regmap_lookup_by_phandle() returns an error. If an error occurs, dev_err_probe() dereferences the node pointer to print diagnostic information, but the node memory may have already been freed due to the earlier of_node_put(), leading to a use-after-free vulnerability. Fix this by moving the of_node_put() call after the error check, ensuring the node is still valid when accessed in the error path.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46308 is a use-after-free flaw (CWE-416) in the Linux kernel's pmdomain mediatek driver, specifically in the scpsys_get_bus_protection_legacy() function. The function obtains a reference to a device node via of_find_node_with_property(), then prematurely calls of_node_put() to release that reference. If the subsequent syscon_regmap_lookup_by_phandle() call fails, the error handling path in dev_err_probe() dereferences the freed node pointer to output diagnostic information. This creates a classic use-after-free condition where freed memory is accessed during the error path. The fix involves reordering the cleanup: of_node_put() is deferred until after the error check completes, guaranteeing the node remains valid if referenced in error handling.
Business impact
This vulnerability affects systems running vulnerable Linux kernels on MediaTek-based platforms, which include many mobile devices, IoT hardware, and embedded systems. A local attacker with user-level access can trigger the flaw to cause kernel memory corruption or a system crash (denial of service). In privilege-escalation scenarios, the attacker could potentially manipulate heap state prior to exploitation to gain elevated system privileges. For organizations deploying MediaTek-based edge devices, IoT gateways, or embedded Linux systems, this represents a local privilege escalation and availability risk.
Affected systems
The vulnerability affects the Linux kernel across all versions prior to the patch. It is specific to systems using MediaTek power domain management (pmdomain mediatek driver), meaning it impacts MediaTek SoC-based devices including certain mobile platforms, embedded Linux systems, and IoT appliances. Desktop and server Linux systems without MediaTek hardware are not affected.
Exploitability
Exploitability requires local system access (AV:L) and no special privileges beyond a standard user account (PR:L). Once an attacker has a user-level shell, triggering the vulnerable code path is straightforward—inducing an error condition during power domain initialization or configuration. The vulnerability is not remotely exploitable and requires direct system access. Given the local attack surface, this is a meaningful risk for multi-user systems, mobile devices, or IoT hardware where untrusted code may run locally.
Remediation
Apply the Linux kernel patch that defers of_node_put() until after error checking in scpsys_get_bus_protection_legacy(). Verify the patch version against the Linux kernel stable release notes and your distribution's advisory. For systems where immediate patching is not feasible, disable or restrict local user access where possible and monitor system logs for unexpected kernel crashes or errors related to power domain initialization.
Patch guidance
Obtain the patched Linux kernel version from your distribution's security advisory or kernel.org. Verify that the patch includes the reordering of of_node_put() to occur after the syscon_regmap_lookup_by_phandle() error check. Testing should focus on power domain initialization under error conditions to confirm the fix resolves the issue without introducing new regressions. Coordinate kernel updates with system reboot windows as needed for your infrastructure.
Detection guidance
Monitor system logs and kernel debugging output for crashes or use-after-free warnings in the pmdomain mediatek driver during system boot or power state transitions. Kernel Address Sanitizer (KASAN) or similar runtime checkers can detect this flaw if the system is instrumented. Check for unexpected kernel panics with stack traces referencing scpsys_get_bus_protection_legacy(). On vulnerable systems, triggering an error in syscon_regmap_lookup_by_phandle() (for example, by removing or misconfiguring the device tree node) may produce detectable memory corruption artifacts.
Why prioritize this
This vulnerability merits prompt remediation due to its HIGH severity rating (CVSS 7.8), the ease of local exploitation once access is obtained, and its direct impact on system stability and privilege boundaries. Although it requires local access, the minimal prerequisites (standard user privileges, no interaction required) and universal local availability on affected systems make it a realistic attack vector. Priority should be higher for systems with untrusted user accounts, multi-tenant deployments, or public-facing edge devices.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector, low complexity to exploit, low privilege requirements, and no user interaction. The impact is severe: the vulnerability permits both confidentiality and integrity breaches (reading/writing freed memory) as well as availability impact (kernel crash). The score appropriately weights the seriousness of a use-after-free in kernel context, where memory corruption can lead to privilege escalation or system takeover, despite the local-only attack requirement.
Frequently asked questions
Does this vulnerability affect my Linux desktop or server if it doesn't use MediaTek hardware?
No. The vulnerability is specific to the MediaTek power domain driver. Desktop and server systems using Intel, AMD, ARM Cortex-A, or other processors without MediaTek power domain management are not affected. Check your system's hardware and kernel configuration to confirm.
Can this be exploited remotely over the network?
No. This requires local system access (AV:L in the CVSS vector). An attacker must have a shell or ability to execute code on the affected system. Remote network-based exploitation is not possible.
What is the practical impact if the flaw is triggered?
The most likely outcome is a kernel crash (denial of service) or memory corruption that could allow an unprivileged local user to escalate privileges or access sensitive kernel memory. The exact impact depends on how the freed memory is reused and the attacker's knowledge of heap layout.
If I cannot patch immediately, what compensating controls reduce my risk?
Restrict local user access to trusted accounts only, use SELinux or AppArmor to confine unprivileged processes, disable remote login for non-essential accounts, and monitor kernel logs for crashes. These reduce exposure but do not eliminate the vulnerability—patching is the definitive fix.
This analysis is based on the CVE record and publicly available information as of the publication date. Exploit availability, active attacks, and patch release status may change; verify current information with your kernel vendor and distribution. This summary is for informational and defensive purposes only. Organizations should conduct their own risk assessment based on their specific hardware, use cases, and environment. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance