{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-46288: of: unittest: fix use-after-free in of_unittest_changeset()","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-46288","status":"final","version":"1","initial_release_date":"2026-06-08T15:41:31.868Z","current_release_date":"2026-06-14T04:30:00.153Z","revision_history":[{"date":"2026-06-08T15:41:31.868Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: fix use-after-free in of_unittest_changeset()\n\nThe variable 'parent' is assigned the value of 'nchangeset' earlier in the\nfunction, meaning both point to the same struct device_node. The call to\nof_node_put(nchangeset) can decrement the reference count to zero and\nfree the node if there are no other holders. After that, the code still\nuses 'parent' to check for the presence of a property and to read a\nstring property, leading to a use-after-free.\n\nFix this by moving the of_node_put() call after the last access to\n'parent', avoiding the UAF.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-46288 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-46288"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-46288"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/7f0f0926f3010b10cff5e93446258f971e42f2fd"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/6fdad20b7975bdc32e85b45f8f7c640f6687b81f"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/faecdd423c27f0d6090156a435ba9dbbac0eaddb"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1","product":{"name":"Linux Linux >=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <7f0f0926f3010b10cff5e93446258f971e42f2fd","product":{"name":"Linux Linux >=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <7f0f0926f3010b10cff5e93446258f971e42f2fd","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <6fdad20b7975bdc32e85b45f8f7c640f6687b81f","product":{"name":"Linux Linux >=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <6fdad20b7975bdc32e85b45f8f7c640f6687b81f","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <faecdd423c27f0d6090156a435ba9dbbac0eaddb","product":{"name":"Linux Linux >=1c668ea65506e67ce2eae07b69bb09fcdd86e309 <faecdd423c27f0d6090156a435ba9dbbac0eaddb","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"6.12","product":{"name":"Linux Linux 6.12","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.86","product":{"name":"Linux Linux 6.12.86","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.27","product":{"name":"Linux Linux 6.18.27","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.4","product":{"name":"Linux Linux 7.0.4","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1-rc1","product":{"name":"Linux Linux 7.1-rc1","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-46288","title":"of: unittest: fix use-after-free in of_unittest_changeset()","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: fix use-after-free in of_unittest_changeset()\n\nThe variable 'parent' is assigned the value of 'nchangeset' earlier in the\nfunction, meaning both point to the same struct device_node. The call to\nof_node_put(nchangeset) can decrement the reference count to zero and\nfree the node if there are no other holders. After that, the code still\nuses 'parent' to check for the presence of a property and to read a\nstring property, leading to a use-after-free.\n\nFix this by moving the of_node_put() call after the last access to\n'parent', avoiding the UAF.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5"],"fixed":["CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1, 6.12.86, 6.18.27, 6fdad20b7975bdc32e85b45f8f7c640f6687b81f, 7.0.4, 7.1-rc1, 7f0f0926f3010b10cff5e93446258f971e42f2fd, faecdd423c27f0d6090156a435ba9dbbac0eaddb.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5"]}]}]}