Skip to main content

Linux CVE-2026-23415

| EUVDEUVD-2026-18196 HIGH
Use After Free (CWE-416)
2026-04-02 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 15:37 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 15:37 NVD
7.8 (HIGH)
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 12:00 euvd
EUVD-2026-18196
Analysis Generated
Apr 02, 2026 - 12:00 vuln.today
CVE Published
Apr 02, 2026 - 11:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode.

[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[ 151.415969] Call Trace:

[ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().

AnalysisAI

Use-after-free vulnerability in Linux kernel futex handling allows local attackers to read freed memory via race condition between futex_key_to_node_opt() and vma_replace_policy(). When mbind() concurrently replaces virtual memory area policies, __futex_key_to_node() may dereference a freed mempolicy structure, enabling information disclosure of kernel memory. The vulnerability requires local access and precise timing but poses memory safety risk in multi-threaded applications using futex operations alongside memory policy changes.

Technical ContextAI

The vulnerability resides in the Linux kernel's futex subsystem (kernel/futex/core.c) and memory policy management (mm/mempolicy.c). During futex key resolution, the kernel reads vma->vm_policy under speculative mmap lock protection and RCU read-side critical section. Concurrently, the mbind() system call may invoke vma_replace_policy() which immediately frees the old mempolicy object via kmem_cache_free() without waiting for RCU grace period completion. This creates a classic use-after-free condition where __futex_key_to_node() dereferences mpol->mode field in freed memory. The root cause is improper synchronization between RCU-protected readers (futex code) and writers (memory policy replacement). Fix involves wrapping mempolicy deallocation with RCU callbacks via __mpol_put() to ensure safe reclamation only after all speculative readers complete.

RemediationAI

Vendor-released patch available via upstream Linux stable commits 853f70c67d1b37e368fdcb3e328c4b8c04f53ac0, 7e196194ea27bd49adf3551e2aceb83498eb73fe, and 190a8c48ff623c3d67cb295b4536a660db2012aa accessible at https://git.kernel.org/stable/. Apply kernel update incorporating RCU synchronization fix in __mpol_put() to defer mempolicy deallocation until completion of all speculative readers. Systems should upgrade to kernel versions integrating the referenced commits. For immediate mitigation prior to patching, limit concurrent futex operations and memory policy changes through workload isolation or scheduling constraints, though patch application is strongly recommended as definitive fix.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid vulnerable 6.19.10-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy