CVE-2026-23012
Published: 25 January 2026
Summary
CVE-2026-23012 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23012 is a use-after-free vulnerability in the Linux kernel's DAMON (Data Access MONitor) core module, specifically within mm/damon/core. The issue arises when damon_call() is invoked on a non-running DAMON context, causing the function to return an error while leaving the damon_call_control object linked to the context's call_controls list. If this object is subsequently deallocated and another damon_call() is executed on the same context, the new object is added to the list containing a dangling pointer to the freed memory, resulting in a use-after-free condition.
A local attacker with sysfs write permissions (PR:L) can exploit this vulnerability by performing specific, unusual writes to the DAMON sysfs interface. Successful exploitation leads to a use-after-free, which the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) rates as enabling high impacts on confidentiality, integrity, and availability. The vulnerability is not easily exploitable due to the need for precise, non-standard sysfs interactions.
The provided kernel patch references detail the mitigation. The fix involves two changes: first, relocating the final kdamond_call() for canceling existing damon_call() requests to occur before resetting ctx->kdamond in terminating contexts, ensuring that a NULL ctx->kdamond safely indicates no further access to call requests; second, modifying damon_call() to clean up any damon_call_control objects added to already-terminated contexts before returning an error. These changes are available in stable kernel commits at https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3 and https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4617
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the…
more
context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in DAMON sysfs interface directly enables privilege escalation via crafted writes by low-privileged user.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through kernel patching directly resolves the use-after-free vulnerability in the DAMON core module as provided in the stable commits.
Configuring the system to disable unnecessary DAMON functionality or sysfs interface eliminates the vulnerable attack surface requiring specific writes.
Implementation of kernel memory protection mechanisms such as freelist randomization and KASLR mitigates exploitation of the use-after-free condition.