mtd: docg3: fix use-after-free in docg3_release()
In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Ubuntu USN |
USN-8488-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8489-1 | Linux kernel (OEM) vulnerabilities |
Tue, 09 Jun 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-416 |
Tue, 09 Jun 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-825 | |
| References |
|
Mon, 08 Jun 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-416 |
Mon, 08 Jun 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable. | |
| Title | mtd: docg3: fix use-after-free in docg3_release() | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
|
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-14T18:06:23.744Z
Reserved: 2026-05-13T15:03:33.110Z
Link: CVE-2026-46285
No data.
Status : Received
Published: 2026-06-08T17:16:46.347
Modified: 2026-06-08T17:16:46.347
Link: CVE-2026-46285
OpenCVE Enrichment
Updated: 2026-06-09T03:45:26Z
Ubuntu USN