Home

Description

In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-08 | Updated 2026-06-08 | Assigner Linux

Product status

Default status
unaffected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before 8408655ec8344511667b61d8257dc59c80ee3391
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before f5d2ed4ed47d3906e2495a3537a48b127f497a17
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before 2bf706fe7831b319f23a85b9728f961cfed40c3e
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before d26f8c361f751c188b7ebaf8189aa0258968fd98
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before 16f6588a3b7a2a20d10ad9b766be74c60ba347cc
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before d89044889ecd11b0c2f86663597246e9bdd25679
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before d49628d63d4e6bbc8a1621afb88e5fc901611bee
affected

c8ae3f744ddca0da164bcacee42d1d4b6fe7027d (git) before ca19808bc6fac7e29420d8508df569b346b3e339
affected

Default status
affected

5.8
affected

Any version before 5.8
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.140 (semver)
unaffected

6.12.86 (semver)
unaffected

6.18.27 (semver)
unaffected

7.0.4 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/8408655ec8344511667b61d8257dc59c80ee3391

git.kernel.org/...c/f5d2ed4ed47d3906e2495a3537a48b127f497a17

git.kernel.org/...c/2bf706fe7831b319f23a85b9728f961cfed40c3e

git.kernel.org/...c/d26f8c361f751c188b7ebaf8189aa0258968fd98

git.kernel.org/...c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc

git.kernel.org/...c/d89044889ecd11b0c2f86663597246e9bdd25679

git.kernel.org/...c/d49628d63d4e6bbc8a1621afb88e5fc901611bee

git.kernel.org/...c/ca19808bc6fac7e29420d8508df569b346b3e339

cve.org (CVE-2026-46285)

nvd.nist.gov (CVE-2026-46285)

Download JSON