CVE-2026-46285

Source
https://cve.org/CVERecord?id=CVE-2026-46285
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46285.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46285
Downstream
Related
Published
2026-06-08T15:41:28.566Z
Modified
2026-06-18T03:56:24.200888024Z
Summary
mtd: docg3: fix use-after-free in docg3_release()
Details

In the Linux kernel, the following vulnerability has been resolved:

mtd: docg3: fix use-after-free in docg3_release()

In docg3release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls docreleasedevice() on each floor. docrelease_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer.

Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46285.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c8ae3f744ddca0da164bcacee42d1d4b6fe7027d
Fixed
8408655ec8344511667b61d8257dc59c80ee3391
Fixed
f5d2ed4ed47d3906e2495a3537a48b127f497a17
Fixed
2bf706fe7831b319f23a85b9728f961cfed40c3e
Fixed
d26f8c361f751c188b7ebaf8189aa0258968fd98
Fixed
16f6588a3b7a2a20d10ad9b766be74c60ba347cc
Fixed
d89044889ecd11b0c2f86663597246e9bdd25679
Fixed
d49628d63d4e6bbc8a1621afb88e5fc901611bee
Fixed
ca19808bc6fac7e29420d8508df569b346b3e339

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46285.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46285.json"