CVE-2026-46285 PUBLISHED

mtd: docg3: fix use-after-free in docg3_release()

Assigner: Linux
Reserved: 13.05.2026 Published: 08.06.2026 Updated: 14.06.2026

In the Linux kernel, the following vulnerability has been resolved:

mtd: docg3: fix use-after-free in docg3_release()

In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer.

Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to 8408655ec8344511667b61d8257dc59c80ee3391 (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to f5d2ed4ed47d3906e2495a3537a48b127f497a17 (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to 2bf706fe7831b319f23a85b9728f961cfed40c3e (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to d26f8c361f751c188b7ebaf8189aa0258968fd98 (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to 16f6588a3b7a2a20d10ad9b766be74c60ba347cc (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to d89044889ecd11b0c2f86663597246e9bdd25679 (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to d49628d63d4e6bbc8a1621afb88e5fc901611bee (excl.)
  • affected from c8ae3f744ddca0da164bcacee42d1d4b6fe7027d to ca19808bc6fac7e29420d8508df569b346b3e339 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.8 is affected
  • unaffected from 0 to 5.8 (excl.)
  • unaffected from 5.10.258 to 5.10.* (incl.)
  • unaffected from 5.15.209 to 5.15.* (incl.)
  • unaffected from 6.1.175 to 6.1.* (incl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1 to * (incl.)

References