Bug 2482084 (CVE-2026-46097) - CVE-2026-46097 kernel: Input: edt-ft5x06 - fix use-after-free in debugfs teardown
Summary: CVE-2026-46097 kernel: Input: edt-ft5x06 - fix use-after-free in debugfs tear...
Keywords:
Status: NEW
Alias: CVE-2026-46097
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:10 UTC by OSIDB Bzimport
Modified: 2026-05-27 16:50 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:10:33 UTC
In the Linux kernel, the following vulnerability has been resolved:

Input: edt-ft5x06 - fix use-after-free in debugfs teardown

The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs
directory") removed the manual debugfs teardown, relying on the I2C core
to handle it. However, this creates a window where debugfs files are
still accessible after edt_ft5x06_ts_teardown_debugfs() frees
tsdata->raw_buffer.

To prevent a use-after-free, protect the freeing of raw_buffer with the
device mutex and set raw_buffer to NULL. The debugfs read function
already checks if raw_buffer is NULL under the same mutex, so this
safely avoids the use-after-free.


Note You need to log in before you can comment on or make changes to this bug.