PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46025 Linux CVE debrief

A race condition in the Linux kernel's DAMON (Data Access MONitor) subsystem can cause memory leaks or deadlocks when `damon_call()` or `damos_walk()` operations race with kdamond thread termination. The vulnerability exists because request registration and the `damon_ctx->kdamond` unset operation were protected by different mutexes, allowing a window where a new request could be registered after cancellation but before termination was signaled. An attacker with local access could potentially trigger this race to cause denial of service through deadlock or memory exhaustion. The fix introduces a `call_controls_obsolete` flag protected by `call_controls_lock` to synchronize request registration with termination state, ensuring no new requests are accepted once cancellation begins.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running kernels with DAMON enabled for memory access monitoring and optimization; kernel developers maintaining DAMON integrations; security teams assessing local denial of service exposure on multi-user systems where untrusted users may trigger DAMON operations.

Technical summary

The DAMON (Data Access MONitor) subsystem in the Linux kernel contains a race condition between `damon_call()` request registration and `kdamond_fn()` thread termination. The vulnerability stems from separate mutex protection: `damon_ctx->call_controls_lock` protects request queue operations while a different lock protects `damon_ctx->kdamond` state changes. This allows `damon_call()` to register a request, observe `kdamond` as still running, and begin waiting for completion after `kdamond_fn()` has already cancelled pending requests and begun termination—resulting in infinite wait (deadlock) or memory leak for `dealloc_on_cancel` requests. The fix introduces `call_controls_obsolete` flag under `call_controls_lock` to atomically reject new requests once termination begins, eliminating the race window and removing the need for post-registration termination checks.

Defensive priority

medium

Recommended defensive actions

  • Apply the upstream kernel patches from the stable kernel git repository to affected systems
  • Monitor for kernel updates from Linux distribution vendors that incorporate the DAMON race condition fixes
  • Review systems utilizing DAMON for memory monitoring to assess exposure to local denial of service
  • Consider disabling DAMON if not required for workload optimization until patches are applied
  • Validate kernel version after patching to ensure fixes for both damon_call() and damos_walk() races are present

Evidence notes

The vulnerability description indicates this was found by 'sashiko' and affects the mm/damon/core subsystem. The fix involves a two-patch series addressing both `damon_call()` and `damos_walk()` race conditions. The race window exists between request queue registration and the kdamond termination check, with separate mutexes failing to provide atomicity. The fix removes the post-registration termination check as the pre-registration obsolete flag check provides sufficient protection.

Official resources

2026-05-27