What is CVE-2026-46021?

CVE-2026-46021 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 4.2 onward and patched in 6.6.140, 6.12.86, 6.18.27 and others. CVE-2026-46021 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46021?

CVE-2026-46021 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46021?

Yes, CVE-2026-46021 has been patched. Fixed versions include 6.6.140, 6.12.86, 6.18.27 and others. If you are running Linux kernel 4.2 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46021 actively exploited?

CVE-2026-46021 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46021

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak. In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case. Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 4.2 and later are affected. Fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1 and their respective stable series.

Affected from

≥ 4.2

Fixed in

✓ 6.6.140 6.6.x ✓ 6.12.86 6.12.x ✓ 6.18.27 6.18.x ✓ 7.0.4 7.0.x ✓ 7.1-rc1

References

The following references provide additional information about CVE-2026-46021 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13
Patch
Kernel patch commit
https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440
Patch
Kernel patch commit
https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06
Patch

5 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-46021?

CVE-2026-46021 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 4.2 onward and has been patched in 6.6.140, 6.12.86, 6.18.27 and others. CVE-2026-46021 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46021?

Yes — CVE-2026-46021 has been patched. Fixed versions include 6.6.140, 6.12.86, 6.18.27 and others. If you are running Linux kernel 4.2 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46021 actively exploited?

No — CVE-2026-46021 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.