PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46285 Linux CVE debrief

A use-after-free vulnerability was discovered in the Linux kernel's mtd: docg3 module. The vulnerability occurs in the docg3_release() function where the docg3 pointer is obtained from cascade->floors[0]->priv before a loop that calls doc_release_device() on each floor. The doc_release_device() function frees the docg3 struct via kfree(docg3). After the loop, docg3->cascade->bch dereferences the already-freed pointer. The vulnerability has been resolved by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct and is already available as a local variable.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-08
Advisory published
2026-06-08
Advisory updated
2026-06-08

Who should care

Users of the Linux kernel with the mtd: docg3 module enabled should be aware of this vulnerability. However, the vendor information is not available, and the product name is null.

Technical summary

The vulnerability is caused by a use-after-free error in the docg3_release() function. The function obtains the docg3 pointer from cascade->floors[0]->priv before a loop that calls doc_release_device() on each floor. The doc_release_device() function frees the docg3 struct via kfree(docg3). After the loop, docg3->cascade->bch dereferences the already-freed pointer. The fix accesses cascade->bch directly.

Defensive priority

medium

Recommended defensive actions

  • Apply the patches provided by the Linux kernel maintainers to fix the vulnerability.
  • Review and update the Linux kernel to ensure the fix is applied.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd] respectively.

Official resources

The CVE was published and modified on 2026-06-08T17:16:46.347Z.