Skip to main content

Linux Kernel CVE-2026-46035

| EUVDEUVD-2026-32416 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cx4p-78xj-392q
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects two simultaneous non-attacker-controlled prerequisites - UP kernel build and NMI-context page allocation - beyond the NVD's AC:L; impact is purely availability.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 17:08 vuln.today
CVSS changed
Jun 16, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP

On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, alloc_frozen_pages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists.

With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module:

BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 get_page_from_freelist+0xeb/0x450 alloc_frozen_pages_nolock_noprof+0x111/0x1e0 allocate_slab+0x42a/0x500 ___slab_alloc+0xa7/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...] </NMI>

Fix this by returning NULL early when invoked from NMI on a UP kernel.

AnalysisAI

Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.

Technical ContextAI

The vulnerability resides in mm/page_alloc.c within the Linux kernel's physical memory allocator. On SMP builds, spin_trylock() correctly returns false if a lock is already held, preventing re-entrancy. On UP builds (!CONFIG_SMP), the kernel eliminates lock-contention overhead by making spin_trylock() unconditionally return true - a well-known but dangerous optimization when NMI-context callers are involved. NMI (Non-Maskable Interrupt) handlers can preempt any kernel context, including one already holding the zone lock inside rmqueue(). When the NMI handler triggers alloc_frozen_pages_nolock() (e.g., via SLUB's kmalloc_nolock_noprof as shown in the call trace), rmqueue() is re-entered, the zone lock is 'acquired' again via the no-op trylock, and the page allocator's freelist is corrupted. CWE is listed as N/A, but this maps most accurately to CWE-667 (Improper Locking) and CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization). Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, with specific vulnerable commit range starting at d7242af8643409aae32243450341ef25b28d8a8c across multiple stable branches.

RemediationAI

Update to patched kernel versions: 6.18.27 or later for the 6.18 stable branch, 7.0.4 or later for the 7.0 stable branch, or 7.1-rc2 or later for the development tree. Upstream fix commits are available at https://git.kernel.org/stable/c/05b4ed8bef30bba4f559c8d835e2dd20c48cf8a4, https://git.kernel.org/stable/c/a6d57efeaae3f3b3656514f600eac96be713d90e, and https://git.kernel.org/stable/c/620b46ed6ae17c8438d889c8c0cfddab36a1476c. The fix adds an early NULL return from alloc_frozen_pages_nolock() when invoked from NMI context on UP kernels. For systems that cannot be immediately patched, rebuilding the kernel with CONFIG_SMP=y (if the hardware supports it) eliminates the vulnerability entirely with no functional trade-off on multi-core hardware. On genuinely single-core embedded platforms where SMP cannot be enabled, avoid loading kernel modules (such as slub_kunit) that trigger NMI-context page allocations in production; this reduces exposure but is not a complete fix. No vendor advisory URL beyond upstream stable commits is currently available.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy