HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46288Published Modified CNA Linux

CVE-2026-46288: of: unittest: fix use-after-free in of_unittest_changeset()

In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free. Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's device-tree unit-test subsystem, specifically in the of_unittest_changeset() function. An attacker with local access to the system can trigger the bug without any authentication or user interaction, exploiting a freed memory region that is still referenced through the 'parent' pointer after of_node_put() drops the reference count to zero. Successful exploitation grants full read, write, and crash capabilities on the affected host. A patched-image rebuild at the fix versions (6.12.86, 6.18.27, and the associated commit SHAs) is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46288 is ingested from upstream kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel modules. Any image whose kernel version falls within the vulnerable range is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 8.4 (HIGH) and weights it against each environment's compliance policy to determine urgency and ownership routing. Triage findings are delivered to the appropriate team inbox inside each customer organization, with severity context surfaced alongside affected image and workload details.

Available
Patch

A patched-image rebuild at kernel versions 6.12.86, 6.18.27, or the upstream fix commits becomes available on HarborGuard once the base image containing the fix is published. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path.

  • AuthenticationNot required

    No account credentials are required; the CVSS vector specifies PR:N, meaning any unprivileged local process can trigger the vulnerability.

  • Victim interactionNot required

    The exploit requires no action from any other user or process on the system; it is entirely attacker-driven.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other variable environmental factors.

Blast Radius

  • The attacker reads arbitrary kernel memory from the freed device-node structure, exposing data such as device-tree properties and any co-located kernel objects.
  • The attacker writes into the freed memory region, allowing corruption of kernel data structures that may be reallocated at that address.
  • The attacker crashes the kernel by triggering a fault on the dangling pointer access, causing a full system denial of service.
  • Any combination of the above impacts can be chained in a single exploit attempt given the high confidentiality, integrity, and availability scores.

How HarborGuard Handles This

Available on HarborGuard: images containing Linux kernel versions prior to 6.12.86, 6.18.27, or the fix commits are matched against CVE-2026-46288 at ingest time. Where compliance policy permits and auto-remediation is enabled, HarborGuard triggers a base-image rebuild at the patched version, executes a regression test run, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding in the triage queue with remediation guidance pointing to the specific fix versions. As a compensating control while patching is in progress, customers can apply Linux Security Module policies or seccomp profiles to restrict unprivileged local process access to device-tree interfaces on sensitive workloads.

See how HarborGuard automates this

Fix available

037318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca16.12.866.18.276fdad20b7975bdc32e85b45f8f7c640f6687b81f7.0.47.1-rc17f0f0926f3010b10cff5e93446258f971e42f2fdfaecdd423c27f0d6090156a435ba9dbbac0eaddb
Affected packages
  • Linux / Linux
    < 37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1 (from 1c668ea65506e67ce2eae07b69bb09fcdd86e309) · < 7f0f0926f3010b10cff5e93446258f971e42f2fd (from 1c668ea65506e67ce2eae07b69bb09fcdd86e309) · < 6fdad20b7975bdc32e85b45f8f7c640f6687b81f (from 1c668ea65506e67ce2eae07b69bb09fcdd86e309) · < faecdd423c27f0d6090156a435ba9dbbac0eaddb (from 1c668ea65506e67ce2eae07b69bb09fcdd86e309)
  • Linux / Linux
    6.12
    Fixed in 0, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References