PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46183 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access MONitor) sysfs interface. The `damon_sysfs_quot_goal->path` field can be read and written by users via the DAMON sysfs 'path' file. While reads for parameter committing to DAMON are protected by `damon_sysfs_lock`, user-driven direct reads and writes were not protected. A writer could deallocate the path-pointing buffer while a reader (using a separate open file) accesses it, resulting in use-after-free. The fix protects both user-direct reads and writes with `damon_sysfs_lock`.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Linux system administrators running kernels with DAMON enabled, particularly on multi-user systems where untrusted users may have access to sysfs interfaces; kernel security teams; organizations using DAMON for memory monitoring in production environments

Technical summary

The DAMON (Data Access MONitor) subsystem in the Linux kernel provides a sysfs interface for configuring monitoring schemes. The `damon_sysfs_quot_goal` structure contains a `path` field that is accessible via the sysfs 'path' file. This field can be read and written by users, and is also read internally when committing {on,off}line parameters to DAMON. While the internal reads for parameter committing were protected by `damon_sysfs_lock`, the user-driven direct reads and writes were not. A race condition exists where a write operation (which calls `kfree()` on the path buffer) can occur concurrently with a read operation from a separate open file descriptor. Although kernfs serializes operations on the same open file, using separate file descriptors for read and write is common. This results in a use-after-free condition when the reader accesses the already-freed buffer. The resolution adds `damon_sysfs_lock` protection around both user-direct reads and writes to prevent this race condition.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable kernel commits referenced in the source corpus to add `damon_sysfs_lock` protection around user-direct reads and writes of `damon_sysfs_quot_goal->path`
  • Restrict access to DAMON sysfs interfaces to privileged users only
  • Monitor for suspicious access patterns to `/sys/kernel/mm/damon/` sysfs files from unprivileged processes
  • Review systems running DAMON-enabled kernels for signs of memory corruption or unexpected behavior
  • Prioritize patching on systems where untrusted users have access to DAMON sysfs interfaces

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. The fix involves adding `damon_sysfs_lock` protection around user-accessible read/write operations on the `path` field in `mm/damon/sysfs-schemes`. Kernel commit references are provided in the source corpus.

Official resources

2026-05-28