What is CVE-2026-46288?

CVE-2026-46288 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.12 onward and patched in 6.12.86, 6.18.27, 7.0.4 and others. CVE-2026-46288 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46288?

CVE-2026-46288 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46288?

Yes, CVE-2026-46288 has been patched. Fixed versions include 6.12.86, 6.18.27, 7.0.4 and others. If you are running Linux kernel 6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46288 actively exploited?

CVE-2026-46288 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46288

In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free. Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.

Package Linux Kernel

Published 2026-06-08

Last modified 2026-06-08

Patch available

Yes

Affected versions

Linux kernel versions 6.12 and later are affected. Fixed in 6.12.86, 6.18.27, 7.0.4, 7.1-rc1 and their respective stable series.

Affected from

≥ 6.12

Fixed in

✓ 6.12.86 6.12.x ✓ 6.18.27 6.18.x ✓ 7.0.4 7.0.x ✓ 7.1-rc1

References

The following references provide additional information about CVE-2026-46288 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1
Patch
Kernel patch commit
https://git.kernel.org/stable/c/6fdad20b7975bdc32e85b45f8f7c640f6687b81f
Patch
Kernel patch commit
https://git.kernel.org/stable/c/7f0f0926f3010b10cff5e93446258f971e42f2fd
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-46288?

CVE-2026-46288 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.12 onward and has been patched in 6.12.86, 6.18.27, 7.0.4 and others. CVE-2026-46288 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46288?

Yes — CVE-2026-46288 has been patched. Fixed versions include 6.12.86, 6.18.27, 7.0.4 and others. If you are running Linux kernel 6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46288 actively exploited?

No — CVE-2026-46288 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.