CVE-2026-46288— of: unittest: fix use-after-free in of_unittest_changeset()
Possible ATT&CK Techniques 1AI
T1211 · Exploitation for StealthAffected Version Matrix 10
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1c668ea65506e67ce2eae07b69bb09fcdd86e309< 37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1 | affected |
1c668ea65506e67ce2eae07b69bb09fcdd86e309< 7f0f0926f3010b10cff5e93446258f971e42f2fd | affected | ||
1c668ea65506e67ce2eae07b69bb09fcdd86e309< 6fdad20b7975bdc32e85b45f8f7c640f6687b81f | affected | ||
1c668ea65506e67ce2eae07b69bb09fcdd86e309< faecdd423c27f0d6090156a435ba9dbbac0eaddb | affected | ||
6.12 | affected | ||
< 6.12 | unaffected | ||
6.12.86≤ 6.12.* | unaffected | ||
6.18.27≤ 6.18.* | unaffected | ||
| … +2 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46288
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
of: unittest: fix use-after-free in of_unittest_changeset()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free. Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于of_unittest_changeset函数中释放后重用,可能导致系统崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46288
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46288
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-46288 (4)
Same Patch Batch · Linux · 2026-06-08 · 41 CVEs total
| CVE-2026-46289 | 9.8 CRITICAL | lib/scatterlist: fix length calculations in extract_kvec_to_sg |
| CVE-2026-46307 | 8.3 HIGH | wifi: ath5k: do not access array OOB |
| CVE-2026-46303 | 8.2 HIGH | isofs: validate Rock Ridge CE continuation extent against volume size |
| CVE-2026-46275 | 7.8 HIGH | Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths |
| CVE-2026-46280 | 7.8 HIGH | lib: test_hmm: evict device pages on file close to avoid use-after-free |
| CVE-2026-46274 | 7.8 HIGH | io-wq: check that the predecessor is hashed in io_wq_remove_pending() |
| CVE-2026-46277 | 7.8 HIGH | mm/zone_device: do not touch device folio after calling ->folio_free() |
| CVE-2026-46311 | 7.8 HIGH | drm/amdgpu/userq: fix access to stale wptr mapping |
| CVE-2026-46306 | 7.5 HIGH | flow_dissector: do not dissect PPPoE PFC frames |
| CVE-2026-46304 | 7.5 HIGH | nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free |
| CVE-2026-46299 | 7.0 HIGH | hfsplus: fix held lock freed on hfsplus_fill_super() |
| CVE-2025-71315 | drm/vkms: Convert to DRM's vblank timer | |
| CVE-2026-46287 | net: txgbe: fix RTNL assertion warning when remove module | |
| CVE-2026-46286 | leds: qcom-lpg: Check for array overflow when selecting the high resolution | |
| CVE-2026-46285 | mtd: docg3: fix use-after-free in docg3_release() | |
| CVE-2026-46284 | mm/hugetlb: fix early boot crash on parameters without '=' separator | |
| CVE-2026-46283 | tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() | |
| CVE-2026-46282 | iio: frequency: admv1013: fix NULL pointer dereference on str | |
| CVE-2026-46281 | vmalloc: fix buffer overflow in vrealloc_node_align() | |
| CVE-2026-46279 | mm/alloc_tag: clear codetag for pages allocated before page_ext initialization |
Showing top 20 of 41 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46331
net/sched: fix pedit partial COW leading to page cache corru - CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur
Same vendor: Linux
- CVE-2026-46331
net/sched: fix pedit partial COW leading to page cache corru - CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur
V. Comments for CVE-2026-46288
No comments yet