Skip to main content

Linux CVE-2026-23352

| EUVDEUVD-2026-15325 MEDIUM
Memory Leak (CWE-401)
2026-03-25 Linux GHSA-3ggx-9863-fxcm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15325
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

x86/efi: defer freeing of boot services memory

efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late().

There are two issue with that: memblock_free_late() should be used for memory allocated with memblock_alloc() while the memory reserved with memblock_reserve() should be freed with free_reserved_area().

More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y efi_free_boot_services() is called before deferred initialization of the memory map is complete.

Benjamin Herrenschmidt reports that this causes a leak of ~140MB of RAM on EC2 t3a.nano instances which only have 512MB or RAM.

If the freed memory resides in the areas that memory map for them is still uninitialized, they won't be actually freed because memblock_free_late() calls memblock_free_pages() and the latter skips uninitialized pages.

Using free_reserved_area() at this point is also problematic because __free_page() accesses the buddy of the freed page and that again might end up in uninitialized part of the memory map.

Delaying the entire efi_free_boot_services() could be problematic because in addition to freeing boot services memory it updates efi.memmap without any synchronization and that's undesirable late in boot when there is concurrency.

More robust approach is to only defer freeing of the EFI boot services memory.

Split efi_free_boot_services() in two. First efi_unmap_boot_services() collects ranges that should be freed into an array then efi_free_boot_services() later frees them after deferred init is complete.

AnalysisAI

A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.

Technical ContextAI

The vulnerability exists in the x86/EFI subsystem of the Linux kernel (affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and involves improper handling of EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA memory regions during early boot. The root cause is a synchronization issue between two memory management subsystems: memblock (used during early boot) and the struct page initialization (deferred when CONFIG_DEFERRED_STRUCT_PAGE_INIT=y is set). When efi_free_boot_services() calls memblock_free_late() followed by memblock_free_pages(), it attempts to free pages whose struct page entries have not yet been initialized; memblock_free_pages() silently skips these uninitialized pages, causing a permanent leak. The underlying issue relates to improper resource lifecycle management and initialization ordering rather than a single CWE classification, as it combines aspects of use-after-free timing issues and resource exhaustion.

RemediationAI

Apply kernel security updates from your Linux distribution's official repositories, which include the fix to defer efi_free_boot_services() memory freeing until after deferred struct page initialization completes. For distributions: update to patched kernel versions available at git.kernel.org/stable/ (commits referenced above have been backported to stable branches); most major distributions have released or will release patched kernels. Until patching is complete, users on minimal-RAM systems (particularly EC2 t3a.nano instances) should consider upgrading instance types to allocate additional RAM, or temporarily disable CONFIG_DEFERRED_STRUCT_PAGE_INIT if recompiling the kernel is feasible (note: this requires custom kernel compilation and rebuilding). Verify the fix is present by checking that efi_free_boot_services() is split into efi_unmap_boot_services() (executed early) and a deferred efi_free_boot_services() call that executes after deferred memory initialization completes.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy