Linux Kernel UAF in of_unittest_changeset() of_node_put()
CVE-2026-46288 Published on June 8, 2026
of: unittest: fix use-after-free in of_unittest_changeset()
In the Linux kernel, the following vulnerability has been resolved:
of: unittest: fix use-after-free in of_unittest_changeset()
The variable 'parent' is assigned the value of 'nchangeset' earlier in the
function, meaning both point to the same struct device_node. The call to
of_node_put(nchangeset) can decrement the reference count to zero and
free the node if there are no other holders. After that, the code still
uses 'parent' to check for the presence of a property and to read a
string property, leading to a use-after-free.
Fix this by moving the of_node_put() call after the last access to
'parent', avoiding the UAF.
Products Associated with CVE-2026-46288
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1c668ea65506e67ce2eae07b69bb09fcdd86e309 and below 37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1 is affected.
- Version 1c668ea65506e67ce2eae07b69bb09fcdd86e309 and below 7f0f0926f3010b10cff5e93446258f971e42f2fd is affected.
- Version 1c668ea65506e67ce2eae07b69bb09fcdd86e309 and below 6fdad20b7975bdc32e85b45f8f7c640f6687b81f is affected.
- Version 1c668ea65506e67ce2eae07b69bb09fcdd86e309 and below faecdd423c27f0d6090156a435ba9dbbac0eaddb is affected.
- Version 6.12 is affected.
- Before 6.12 is unaffected.
- Version 6.12.86, <= 6.12.* is unaffected.
- Version 6.18.27, <= 6.18.* is unaffected.
- Version 7.0.4, <= 7.0.* is unaffected.
- Version 7.1-rc1, <= * is unaffected.