PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46277 Linux CVE debrief

A HIGH severity vulnerability was found in the Linux kernel, with a CVSS score of 7.8. The vulnerability is related to the handling of device folios in the mm/zone_device module. Specifically, the issue arises when trying to access a device folio after it has been freed, which can lead to unexpected behavior. The vulnerability has been resolved by using a local stack variable instead of touching the folio again to extract the pgmap when calling percpu_ref_put_many().

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-14
Advisory published
2026-06-08
Advisory updated
2026-06-14

Who should care

Users of the Linux kernel should be aware of this vulnerability and take steps to ensure their systems are updated with the patched version.

Technical summary

The vulnerability is caused by the fact that the contents of a device folio can immediately change after calling ->folio_free(), as the folio may be reallocated by a driver with a different order. To fix this issue, the code now uses a local stack variable when calling percpu_ref_put_many() instead of touching the folio again to extract the pgmap.

Defensive priority

high

Recommended defensive actions

  • Update to the latest version of the Linux kernel that includes the patch for this vulnerability. Refer to [cve-org] for more information.
  • Review and apply the patches provided by the Linux kernel maintainers, available at [ref-4] and [ref-5].

Evidence notes

The CVE record [cve-org] provides an official description of the vulnerability. Additional information can be found in the NVD detail page [nvd]. The vulnerability was reported and resolved through the Linux kernel development process, with references [ref-4] and [ref-5] providing more details about the patches applied.

Official resources

This debrief is based on the information provided in the CVE record and NVD detail page.