CVE-2026-46285 is a vulnerability in Linux Kernel
Published on June 8, 2026
mtd: docg3: fix use-after-free in docg3_release()
In the Linux kernel, the following vulnerability has been resolved:
mtd: docg3: fix use-after-free in docg3_release()
In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Products Associated with CVE-2026-46285
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below 8408655ec8344511667b61d8257dc59c80ee3391 is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below f5d2ed4ed47d3906e2495a3537a48b127f497a17 is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below 2bf706fe7831b319f23a85b9728f961cfed40c3e is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below d26f8c361f751c188b7ebaf8189aa0258968fd98 is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below 16f6588a3b7a2a20d10ad9b766be74c60ba347cc is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below d89044889ecd11b0c2f86663597246e9bdd25679 is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below d49628d63d4e6bbc8a1621afb88e5fc901611bee is affected.
- Version c8ae3f744ddca0da164bcacee42d1d4b6fe7027d and below ca19808bc6fac7e29420d8508df569b346b3e339 is affected.
- Version 5.8 is affected.
- Before 5.8 is unaffected.
- Version 5.10.258, <= 5.10.* is unaffected.
- Version 5.15.209, <= 5.15.* is unaffected.
- Version 6.1.175, <= 6.1.* is unaffected.
- Version 6.6.140, <= 6.6.* is unaffected.
- Version 6.12.86, <= 6.12.* is unaffected.
- Version 6.18.27, <= 6.18.* is unaffected.
- Version 7.0.4, <= 7.0.* is unaffected.
- Version 7.1-rc1, <= * is unaffected.