Skip to main content

Linux Kernel CVE-2026-46093

| EUVDEUVD-2026-32476 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vf24-gv7c-563r
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:46 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: take vmap_purge_lock in shrinker

decay_va_pool_node() can be invoked concurrently from two paths: __purge_vmap_area_lazy() when pools are being purged, and the shrinker via vmap_node_shrink_scan().

However, decay_va_pool_node() is not safe to run concurrently, and the shrinker path currently lacks serialization, leading to races and possible leaks.

Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker path to ensure serialization with purge users.

AnalysisAI

Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.

Technical ContextAI

The bug lives in mm/vmalloc.c, the virtual address allocator that backs kernel allocations like vmalloc(), module loading, and various I/O mappings. The vmap subsystem maintains per-node pools of cached, lazily-freed VA ranges; decay_va_pool_node() shrinks those pools and was reachable both from __purge_vmap_area_lazy() (the synchronous purge path holding vmap_purge_lock) and from vmap_node_shrink_scan() (the memory shrinker callback), without the shrinker taking that lock. The result is a classic concurrency defect in the CWE-362/CWE-667 family (race condition / improper locking) where two CPUs can manipulate the same pool structures, producing list corruption or leaked vmap areas. The fix simply acquires vmap_purge_lock inside the shrinker path so the two callers are serialized.

RemediationAI

Apply the vendor-released patches by upgrading to Linux kernel 6.18.27, 7.0.4, or 7.1-rc1 (or any later release that includes the upstream commits ec05f51f, 12f2341b, and 687ccdf5 referenced at https://git.kernel.org/stable/c/ec05f51f1e65bce95528543eb73fda56fd201d94, https://git.kernel.org/stable/c/12f2341b4c235d5593a433abac201c1c6725787f, and https://git.kernel.org/stable/c/687ccdf582169cd680aeaf24cc953807c4cd4345) and reboot, since this is a non-livepatchable core mm change on most distros. There is no clean userspace workaround because the vmap shrinker is driven by global memory pressure; partial mitigations are to reduce attacker ability to influence shrinker timing by limiting untrusted local code execution (restrict shell access, unprivileged containers, and unprivileged user namespaces) and to lower memory pressure on exposed hosts (raise vm.min_free_kbytes, avoid running at near-OOM), accepting the trade-off of reduced memory utilization and tighter access policies. Pending reboot, monitor dmesg for vmalloc list-corruption or BUG warnings as a detection proxy.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy