mtd: docg3: fix use-after-free in docg3_release()
CVE-2026-46285

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-46285?

In the Linux kernel, the following vulnerability has been resolved:

mtd: docg3: fix use-after-free in docg3_release()

In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer.

Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

Affected Version(s)

Linux c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < 8408655ec8344511667b61d8257dc59c80ee3391

Linux c8ae3f744ddca0da164bcacee42d1d4b6fe7027d

Linux c8ae3f744ddca0da164bcacee42d1d4b6fe7027d < 2bf706fe7831b319f23a85b9728f961cfed40c3e

References

https://git.kernel.org/stable/c/8408655ec8344511667b61d82...

https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a353...

https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b97...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46285 Data

JSON