Use-after-free in Linux kernel - CVE-2026-46219
Published: May 29, 2026
Vulnerability identifier: #VU132975
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46219
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the mpc52xx SPI driver state machine work handling when processing an unbind operation after an interrupt schedules work. A local attacker can trigger device unbinding while scheduled work remains pending to execute arbitrary code.
How to mitigate CVE-2026-46219
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02
- https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0
- https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188
- https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46
- https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2