HIGH
cpufreq Governor DoubleFree
CVE-2026-43328
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().
02KernelScan AI Analysis
Risk summary
A double free vulnerability in the cpufreq governor initialization error path can cause kernel memory corruption and system crashes. This affects systems where privileged processes modify CPU frequency scaling policies and encounter initialization failures.
Vulnerability analysis
The vulnerability occurs when kobject_init_and_add() fails during cpufreq governor initialization. The error path calls kobject_put() which triggers a release callback that frees the dbs_data structure, but then the error handling code attempts to free the same structure again. The fix restructures the error path to let kobject_put() handle all cleanup through the release callback, avoiding the duplicate free operations. This requires root privileges to trigger through cpufreq policy operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 4b9118e93d24 |
| 5.15 | 5.15.209 | 019ea2862972 |
| 5.2 | 5.2 | 56bc91ee78ba |
| 6.1 | 6.1.168 | da39ee627fd8 |
| 6.12 | 6.12.81 | d2703b4f8fb7 |
| 6.18 | 6.18.22 | 3bf9d023d232 |
| 6.19 | 6.19.12 | 6dcf9d0064ce |
| 6.6 | 6.6.134 | 427d048e4f6a |
| mainline | 7.0 | — |