Cyber Resilience

CVE-2026-23012

High

Published: 25 January 2026

Published
25 January 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23012 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23012 is a use-after-free vulnerability in the Linux kernel's DAMON (Data Access MONitor) core module, specifically within mm/damon/core. The issue arises when damon_call() is invoked on a non-running DAMON context, causing the function to return an error while leaving the damon_call_control object linked to the context's call_controls list. If this object is subsequently deallocated and another damon_call() is executed on the same context, the new object is added to the list containing a dangling pointer to the freed memory, resulting in a use-after-free condition.

A local attacker with sysfs write permissions (PR:L) can exploit this vulnerability by performing specific, unusual writes to the DAMON sysfs interface. Successful exploitation leads to a use-after-free, which the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) rates as enabling high impacts on confidentiality, integrity, and availability. The vulnerability is not easily exploitable due to the need for precise, non-standard sysfs interactions.

The provided kernel patch references detail the mitigation. The fix involves two changes: first, relocating the final kdamond_call() for canceling existing damon_call() requests to occur before resetting ctx->kdamond in terminating contexts, ensuring that a NULL ctx->kdamond safely indicates no further access to call requests; second, modifying damon_call() to clean up any damon_call_control objects added to already-terminated contexts before returning an error. These changes are available in stable kernel commits at https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3 and https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the…

more

context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in DAMON sysfs interface directly enables privilege escalation via crafted writes by low-privileged user.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.17, 6.19 · 6.17.1 — 6.18.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through kernel patching directly resolves the use-after-free vulnerability in the DAMON core module as provided in the stable commits.

prevent

Configuring the system to disable unnecessary DAMON functionality or sysfs interface eliminates the vulnerable attack surface requiring specific writes.

prevent

Implementation of kernel memory protection mechanisms such as freelist randomization and KASLR mitigates exploitation of the use-after-free condition.

References