CVE-2026-43388 Linux CVE debrief

Who should care

Linux kernel maintainers, system administrators running DAMON-enabled kernels, security teams monitoring kernel memory management vulnerabilities, and organizations using DAMON for memory access pattern monitoring in production environments.

Technical summary

The damos_walk() function in mm/damon/core.c sets ctx->walk_control to a caller-provided stack-allocated structure before checking if the DAMON context is running. If damon_is_running() returns false, the function returns -EINVAL without clearing ctx->walk_control, leaving a dangling pointer. Under walk_control_lock, this stale pointer can cause use-after-free if the context is later started (kdamond dereferencing ctx->walk_control in damos_walk_cancel()), or permanent -EBUSY on subsequent damos_walk() calls due to non-NULL check. The fix clears ctx->walk_control before returning -EINVAL, matching the pattern from commit f9132fbc2e83.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches: 6.18.19+, 6.19.9+, or 7.0-rc4+
• Verify DAMON contexts are properly initialized before damos_walk() calls in custom kernel modules
• Monitor for unexpected -EBUSY returns from DAMON operations as potential indicator of trigger attempts
• Restart DAMON contexts if -EBUSY persists on walk operations (workaround until patched)
• Review custom DAMON callers for patterns that start contexts after failed damos_walk() calls

Evidence notes

The vulnerability description indicates real-world exploitability is constrained: no existing damos_walk() callers start the context after a failed walk, preventing the described use-after-free. The practical impact is limited to -EBUSY confusion until context restart. This structural pattern was previously fixed in commit f9132fbc2e83 for damon_call().

Official resources