PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46288 Linux CVE debrief

A high-severity vulnerability, CVE-2026-46288, was found in the Linux kernel. This vulnerability is caused by a use-after-free in the of_unittest_changeset() function. The function assigns the value of 'nchangeset' to the variable 'parent' early on, causing both to point to the same struct device_node. When of_node_put(nchangeset) is called, it can reduce the reference count to zero and free the node if there are no other holders. However, the code continues to use 'parent' to check for the presence of a property and read a string property, resulting in a use-after-free. To fix this, the of_node_put() call should be moved after the last access to 'parent', preventing the UAF.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-14
Advisory published
2026-06-08
Advisory updated
2026-06-14

Who should care

This vulnerability affects users of the Linux kernel. The CVSS score of 8.4 and a HIGH severity rating indicate that this vulnerability could have significant impacts if exploited.

Technical summary

The vulnerability is a use-after-free in the of_unittest_changeset() function of the Linux kernel. The issue arises from the premature call to of_node_put(nchangeset), which can free the node before it is last accessed through the 'parent' variable.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the patches provided in the kernel.org references to fix the vulnerability.
  • Ensure that your Linux kernel is updated with the latest security patches.

Evidence notes

The CVE-2026-46288 vulnerability was published on 2026-06-08 and modified on 2026-06-14. The vulnerability has a CVSS score of 8.4 and is considered HIGH severity.

Official resources

CVE-2026-46288 was published on 2026-06-08T17:16:46.957Z and modified on 2026-06-14T06:16:23.173Z.