CVE ID : CVE-2026-23012<\/p>\n
Published : Jan. 25, 2026, 3:15 p.m. | 1\u00a0hour, 46\u00a0minutes ago<\/p>\n
Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n
mm\/damon\/core: remove call_control in inactive contexts<\/p>\n
If damon_call() is executed against a DAMON context that is not running,
\nthe function returns error while keeping the damon_call_control object
\nlinked to the context’s call_controls list. Let’s suppose the object is
\ndeallocated after the damon_call(), and yet another damon_call() is
\nexecuted against the same context. The function tries to add the new
\ndamon_call_control object to the call_controls list, which still has the
\npointer to the previous damon_call_control object, which is deallocated.
\nAs a result, use-after-free happens.<\/p>\n
This can actually be triggered using the DAMON sysfs interface. It is not
\neasily exploitable since it requires the sysfs write permission and making
\na definitely weird file writes, though. Please refer to the report for
\nmore details about the issue reproduction steps.<\/p>\n
Fix the issue by making two changes. Firstly, move the final
\nkdamond_call() for cancelling all existing damon_call() requests from
\nterminating DAMON context to be done before the ctx->kdamond reset. This
\nmakes any code that sees NULL ctx->kdamond can safely assume the context
\nmay not access damon_call() requests anymore. Secondly, let damon_call()
\nto cleanup the damon_call_control objects that were added to the
\nalready-terminated DAMON context, before returning the error.<\/p>\n
Severity: 0.0 | NA<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID : CVE-2026-23012 Published : Jan. 25, 2026, 3:15 p.m. | 1\u00a0hour, 46\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: mm\/damon\/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-75808","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=75808"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75808\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=75808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=75808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=75808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}