Skip to main content

Linux CVE-2026-23432

| EUVDEUVD-2026-18669 HIGH
Use After Free (CWE-416)
2026-04-03 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
6922db250422a0dfee34de322f86b7a73d713d33,34861bdc0c0196b6c2dd48f7454029407704ff6e
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18669
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mshv: Fix use-after-free in mshv_map_user_memory error path

In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic.

Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region.

AnalysisAI

A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.

Technical ContextAI

The vulnerability exists in the Microsoft Hyper-V partition (mshv) driver, a Linux kernel module that provides user-space access to Hyper-V virtualization features. The mshv_map_user_memory() function registers an MMU (Memory Management Unit) notifier to track memory events for a partition region. When an error occurs during memory mapping, the error path calls vfree() directly to free the region structure without invoking mshv_partition_put(), which is responsible for unregistering the MMU notifier. This leaves the notifier registered and pointing to freed memory. Later, when userspace unmaps or modifies the memory, the kernel's MMU notifier subsystem invokes the dangling callback, causing the freed region to be accessed. The root cause is improper resource cleanup in error handling, falling into the CWE category of use-after-free (CWE-416). The fix replaces the direct vfree() call with mshv_partition_put(), ensuring the notifier is properly deregistered before memory is released.

RemediationAI

Apply the Linux stable kernel fix by updating to a patched kernel version. The upstream fix is available in commit 6922db250422a0dfee34de322f86b7a73d713d33 and commit 34861bdc0c0196b6c2dd48f7454029407704ff6e in the Linux kernel stable repository (https://git.kernel.org/stable). Users should obtain and install the latest stable kernel release that includes these commits. For distributions, check with your vendor's security advisory for the patched kernel version. If immediate patching is not possible, restrict local access to the system and disable the mshv driver module (if not required for virtualization workloads) using modprobe -r mshv or via kernel module blacklisting.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy