CVE-2026-43388 (GCVE-0-2026-43388)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-08 14:21
VLAI?
Title
mm/damon/core: clear walk_control on inactive context in damos_walk()
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structurally identical to the bug fixed in commit f9132fbc2e83 ("mm/damon/core: remove call_control in inactive contexts") for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it. The dangling walk_control pointer can cause: 1. Use-after-free if the context is later started and kdamond    dereferences ctx->walk_control (e.g., in damos_walk_cancel()    which writes to control->canceled and calls complete()) 2. Permanent -EBUSY from subsequent damos_walk() calls, since the    stale pointer is non-NULL Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn't have the invalid damos_walk_control pointer, so everything will work fine again. Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 , < ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b (git)
Affected: bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 , < 9320c77134ab8d7701e20608bbf08517df4fa321 (git)
Affected: bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 , < d210fdcac9c0d1380eab448aebc93f602c1cd4e6 (git)
Create a notification for this product.
    Linux Linux Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b",
              "status": "affected",
              "version": "bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61",
              "versionType": "git"
            },
            {
              "lessThan": "9320c77134ab8d7701e20608bbf08517df4fa321",
              "status": "affected",
              "version": "bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61",
              "versionType": "git"
            },
            {
              "lessThan": "d210fdcac9c0d1380eab448aebc93f602c1cd4e6",
              "status": "affected",
              "version": "bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: clear walk_control on inactive context in damos_walk()\n\ndamos_walk() sets ctx-\u003ewalk_control to the caller-provided control\nstructure before checking whether the context is running.  If the context\nis inactive (damon_is_running() returns false), the function returns\n-EINVAL without clearing ctx-\u003ewalk_control.  This leaves a dangling\npointer to a stack-allocated structure that will be freed when the caller\nreturns.\n\nThis is structurally identical to the bug fixed in commit f9132fbc2e83\n(\"mm/damon/core: remove call_control in inactive contexts\") for\ndamon_call(), which had the same pattern of linking a control object and\nreturning an error without unlinking it.\n\nThe dangling walk_control pointer can cause:\n1. Use-after-free if the context is later started and kdamond\n\u00a0 \u00a0dereferences ctx-\u003ewalk_control (e.g., in damos_walk_cancel()\n\u00a0 \u00a0which writes to control-\u003ecanceled and calls complete())\n2. Permanent -EBUSY from subsequent damos_walk() calls, since the\n\u00a0 \u00a0stale pointer is non-NULL\n\nNonetheless, the real user impact is quite restrictive.  The\nuse-after-free is impossible because there is no damos_walk() callers who\nstarts the context later.  The permanent -EBUSY can actually confuse\nusers, as DAMON is not running.  But the symptom is kept only while the\ncontext is turned off.  Turning it on again will make DAMON internally\nuses a newly generated damon_ctx object that doesn\u0027t have the invalid\ndamos_walk_control pointer, so everything will work fine again.\n\nFix this by clearing ctx-\u003ewalk_control under walk_control_lock before\nreturning -EINVAL, mirroring the fix pattern from f9132fbc2e83."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:21:33.966Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321"
        },
        {
          "url": "https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6"
        }
      ],
      "title": "mm/damon/core: clear walk_control on inactive context in damos_walk()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43388",
    "datePublished": "2026-05-08T14:21:33.966Z",
    "dateReserved": "2026-05-01T14:12:56.006Z",
    "dateUpdated": "2026-05-08T14:21:33.966Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43388\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:50.180\",\"lastModified\":\"2026-05-08T15:16:50.180\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/damon/core: clear walk_control on inactive context in damos_walk()\\n\\ndamos_walk() sets ctx-\u003ewalk_control to the caller-provided control\\nstructure before checking whether the context is running.  If the context\\nis inactive (damon_is_running() returns false), the function returns\\n-EINVAL without clearing ctx-\u003ewalk_control.  This leaves a dangling\\npointer to a stack-allocated structure that will be freed when the caller\\nreturns.\\n\\nThis is structurally identical to the bug fixed in commit f9132fbc2e83\\n(\\\"mm/damon/core: remove call_control in inactive contexts\\\") for\\ndamon_call(), which had the same pattern of linking a control object and\\nreturning an error without unlinking it.\\n\\nThe dangling walk_control pointer can cause:\\n1. Use-after-free if the context is later started and kdamond\\n\u00a0 \u00a0dereferences ctx-\u003ewalk_control (e.g., in damos_walk_cancel()\\n\u00a0 \u00a0which writes to control-\u003ecanceled and calls complete())\\n2. Permanent -EBUSY from subsequent damos_walk() calls, since the\\n\u00a0 \u00a0stale pointer is non-NULL\\n\\nNonetheless, the real user impact is quite restrictive.  The\\nuse-after-free is impossible because there is no damos_walk() callers who\\nstarts the context later.  The permanent -EBUSY can actually confuse\\nusers, as DAMON is not running.  But the symptom is kept only while the\\ncontext is turned off.  Turning it on again will make DAMON internally\\nuses a newly generated damon_ctx object that doesn\u0027t have the invalid\\ndamos_walk_control pointer, so everything will work fine again.\\n\\nFix this by clearing ctx-\u003ewalk_control under walk_control_lock before\\nreturning -EINVAL, mirroring the fix pattern from f9132fbc2e83.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.