1. Home
  2. Vulnerabilities
  3. CVE-2026-46285
0.0
NA
CVE-2026-46285
mtd: docg3: fix use-after-free in docg3_release()
Overview
Description

In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

Details
INFO

Published Date :

June 8, 2026, 5:16 p.m.

Last Modified :

June 8, 2026, 5:16 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Impact
Affected Products

The following products are affected by CVE-2026-46285 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Fix a use-after-free vulnerability by accessing cascade->bch directly.
  • Update the Linux kernel to the resolved version.
  • Apply the specific patch for mtd: docg3.
  • Avoid dereferencing freed pointers in docg3_release().
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-46285.

URL Resource
https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc
https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e
https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391
https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339
https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98
https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee
https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679
https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-46285 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-46285 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-46285 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-46285 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 08, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.
    Added Reference https://git.kernel.org/stable/c/16f6588a3b7a2a20d10ad9b766be74c60ba347cc
    Added Reference https://git.kernel.org/stable/c/2bf706fe7831b319f23a85b9728f961cfed40c3e
    Added Reference https://git.kernel.org/stable/c/8408655ec8344511667b61d8257dc59c80ee3391
    Added Reference https://git.kernel.org/stable/c/ca19808bc6fac7e29420d8508df569b346b3e339
    Added Reference https://git.kernel.org/stable/c/d26f8c361f751c188b7ebaf8189aa0258968fd98
    Added Reference https://git.kernel.org/stable/c/d49628d63d4e6bbc8a1621afb88e5fc901611bee
    Added Reference https://git.kernel.org/stable/c/d89044889ecd11b0c2f86663597246e9bdd25679
    Added Reference https://git.kernel.org/stable/c/f5d2ed4ed47d3906e2495a3537a48b127f497a17
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.