CVE-2026-43388 Overview
CVE-2026-43388 affects the Linux kernel's Data Access MONitor (DAMON) subsystem. The flaw resides in the damos_walk() function within mm/damon/core. The function assigns the caller-provided control structure to ctx->walk_control before verifying whether the context is active. When damon_is_running() returns false, the function returns -EINVAL without clearing the pointer. This leaves a dangling reference to a stack-allocated structure that is freed once the caller returns.
Critical Impact
The dangling walk_control pointer can theoretically lead to a use-after-free if the context is later started, and reliably produces a permanent -EBUSY condition for subsequent damos_walk() calls until the context is restarted.
Affected Products
- Linux kernel versions containing the DAMON damos_walk() implementation prior to the fix
- Stable kernel branches referenced by commits 9320c771, ce0aa47c, and d210fdca
- Distributions shipping vulnerable upstream kernels
Discovery Timeline
- 2026-05-08 - CVE-2026-43388 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43388
Vulnerability Analysis
The damos_walk() function in mm/damon/core implements a walker that iterates DAMON-based Operation Scheme (DAMOS) state under a caller-supplied control object. The control object is allocated on the caller's stack and linked into the context via ctx->walk_control. The function links the control before checking whether the DAMON context is running.
When the context is inactive, damos_walk() returns -EINVAL and the caller's stack frame unwinds. The control structure on the stack ceases to exist, but ctx->walk_control still references that memory region. This pattern is structurally identical to the issue fixed in commit f9132fbc2e83 for damon_call().
Real-world impact is constrained. No in-tree caller starts the context after a failed damos_walk(), so use-after-free is not currently reachable. The observable symptom is a permanent -EBUSY from subsequent damos_walk() invocations while the context remains off. Restarting DAMON allocates a fresh damon_ctx, clearing the stale state.
Root Cause
The root cause is missing cleanup on an error path. damos_walk() assigns ctx->walk_control before validating that the context is running, then exits with -EINVAL without unlinking the control under walk_control_lock. The function lacks symmetry between linking and unlinking on the inactive-context branch.
Attack Vector
Exploitation requires local access with the ability to invoke DAMON ioctl or sysfs interfaces that ultimately call damos_walk(). An unprivileged user cannot reach the code path without DAMON administrative rights. The use-after-free condition is not reachable through existing kernel callers, limiting the practical attack surface to the denial-of-service-like -EBUSY condition.
The vulnerability is a kernel memory safety defect. No verified proof-of-concept code is published. The upstream fix clears ctx->walk_control under walk_control_lock before returning -EINVAL. See the Kernel Git Commit d210fdca for the canonical patch.
Detection Methods for CVE-2026-43388
Indicators of Compromise
- Repeated -EBUSY (-16) return codes from DAMON damos_walk() user-space callers while DAMON is reported as not running
- Userland DAMON tooling reporting that scheme walks cannot be initiated despite the daemon being stopped
- Kernel log entries referencing the mm/damon/core subsystem when running unpatched stable kernels
Detection Strategies
- Inventory running kernel versions across Linux hosts and compare against fixed commits 9320c771, ce0aa47c, and d210fdca
- Audit workloads that enable CONFIG_DAMON and CONFIG_DAMON_SYSFS to identify systems within scope
- Monitor for anomalous DAMON sysfs interactions originating from non-administrative users
Monitoring Recommendations
- Collect kernel version telemetry from endpoint inventory pipelines and alert on hosts running pre-patch stable kernels
- Track DAMON state and scheme walk interfaces under /sys/kernel/mm/damon/ for unusual access patterns
- Forward kernel audit and dmesg logs to a central data lake to retain long-term context for kernel-subsystem regressions
How to Mitigate CVE-2026-43388
Immediate Actions Required
- Apply the upstream Linux kernel patches that clear ctx->walk_control under walk_control_lock on inactive contexts
- Rebuild and deploy kernels containing commits 9320c771, ce0aa47c, or d210fdca across affected fleets
- Restart any host that has observed persistent -EBUSY returns from DAMON to reinitialize damon_ctx state
Patch Information
The fix mirrors the resolution applied in commit f9132fbc2e83 for damon_call(). It clears ctx->walk_control under walk_control_lock before returning -EINVAL when the context is inactive. Vendor-supplied kernels should be updated through the distribution's standard package channel. Refer to Kernel Git Commit 9320c77, Kernel Git Commit ce0aa47, and Kernel Git Commit d210fdca for the authoritative source changes.
Workarounds
- Disable DAMON at runtime by ensuring the context is started before any damos_walk() call, or avoid invoking scheme walks on inactive contexts
- Restrict access to DAMON sysfs interfaces under /sys/kernel/mm/damon/ to trusted administrators only
- Where feasible, build kernels without CONFIG_DAMON_SYSFS until patched binaries are deployed
# Verify the running kernel and DAMON configuration
uname -r
grep -E 'CONFIG_DAMON(_SYSFS)?=' /boot/config-$(uname -r)
# Restrict DAMON sysfs access to root
chmod -R o-rwx /sys/kernel/mm/damon/ 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
