CVE-2026-23012 (GCVE-0-2026-23012)

Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-01-25 14:36
VLAI?
Title
mm/damon/core: remove call_control in inactive contexts
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 004ded6bee11b8ed463cdc54b89a4390f4b64f6d , < 23b061f421eef03647b512f3df48861706c87db3 (git)
Affected: 004ded6bee11b8ed463cdc54b89a4390f4b64f6d , < f9132fbc2e83baf2c45a77043672a63a675c9394 (git)
Create a notification for this product.
    Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "23b061f421eef03647b512f3df48861706c87db3",
              "status": "affected",
              "version": "004ded6bee11b8ed463cdc54b89a4390f4b64f6d",
              "versionType": "git"
            },
            {
              "lessThan": "f9132fbc2e83baf2c45a77043672a63a675c9394",
              "status": "affected",
              "version": "004ded6bee11b8ed463cdc54b89a4390f4b64f6d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc6",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: remove call_control in inactive contexts\n\nIf damon_call() is executed against a DAMON context that is not running,\nthe function returns error while keeping the damon_call_control object\nlinked to the context\u0027s call_controls list.  Let\u0027s suppose the object is\ndeallocated after the damon_call(), and yet another damon_call() is\nexecuted against the same context.  The function tries to add the new\ndamon_call_control object to the call_controls list, which still has the\npointer to the previous damon_call_control object, which is deallocated. \nAs a result, use-after-free happens.\n\nThis can actually be triggered using the DAMON sysfs interface.  It is not\neasily exploitable since it requires the sysfs write permission and making\na definitely weird file writes, though.  Please refer to the report for\nmore details about the issue reproduction steps.\n\nFix the issue by making two changes.  Firstly, move the final\nkdamond_call() for cancelling all existing damon_call() requests from\nterminating DAMON context to be done before the ctx-\u003ekdamond reset.  This\nmakes any code that sees NULL ctx-\u003ekdamond can safely assume the context\nmay not access damon_call() requests anymore.  Secondly, let damon_call()\nto cleanup the damon_call_control objects that were added to the\nalready-terminated DAMON context, before returning the error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-25T14:36:25.187Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394"
        }
      ],
      "title": "mm/damon/core: remove call_control in inactive contexts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23012",
    "datePublished": "2026-01-25T14:36:25.187Z",
    "dateReserved": "2026-01-13T15:37:45.940Z",
    "dateUpdated": "2026-01-25T14:36:25.187Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23012\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-25T15:15:56.073\",\"lastModified\":\"2026-01-26T15:03:33.357\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/damon/core: remove call_control in inactive contexts\\n\\nIf damon_call() is executed against a DAMON context that is not running,\\nthe function returns error while keeping the damon_call_control object\\nlinked to the context\u0027s call_controls list.  Let\u0027s suppose the object is\\ndeallocated after the damon_call(), and yet another damon_call() is\\nexecuted against the same context.  The function tries to add the new\\ndamon_call_control object to the call_controls list, which still has the\\npointer to the previous damon_call_control object, which is deallocated. \\nAs a result, use-after-free happens.\\n\\nThis can actually be triggered using the DAMON sysfs interface.  It is not\\neasily exploitable since it requires the sysfs write permission and making\\na definitely weird file writes, though.  Please refer to the report for\\nmore details about the issue reproduction steps.\\n\\nFix the issue by making two changes.  Firstly, move the final\\nkdamond_call() for cancelling all existing damon_call() requests from\\nterminating DAMON context to be done before the ctx-\u003ekdamond reset.  This\\nmakes any code that sees NULL ctx-\u003ekdamond can safely assume the context\\nmay not access damon_call() requests anymore.  Secondly, let damon_call()\\nto cleanup the damon_call_control objects that were added to the\\nalready-terminated DAMON context, before returning the error.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.