Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local, debug-only build plus a boot-timing race gives AV:L/AC:H/PR:L; observed impact is a kernel warning (minor availability noise) with no confidentiality or integrity loss, so C:N/I:N/A:L.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mm/alloc_tag: clear codetag for pages allocated before page_ext initialization
Due to initialization ordering, page_ext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page_ext becomes available, leaving their codetag uninitialized.
A clear example is in init_section_page_ext(): alloc_page_ext() calls kmemleak_alloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page_ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty.
Use a global array to track pages allocated before page_ext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When page_ext initialization completes, set their codetag to empty to avoid warnings when they are freed later.
This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled:
[ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloc_tag was not set [ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] <TASK> [ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10 [ 9.582216] ? check_bytes_and_report+0x68/0x140 [ 9.582219] __free_frozen_pages+0x2e4/0x1150 [ 9.582221] ? __free_slab+0xc2/0x2b0 [ 9.582224] qlist_free_all+0x4c/0xf0 [ 9.582227] kasan_quarantine_reduce+0x15d/0x180 [ 9.582229] __kasan_slab_alloc+0x69/0x90 [ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500 [ 9.582234] do_getname+0x96/0x310 [ 9.582237] do_readlinkat+0x91/0x2f0 [ 9.582239] ? __pfx_do_readlinkat+0x10/0x10 [ 9.582240] ? get_random_bytes_user+0x1df/0x2c0 [ 9.582244] __x64_sys_readlinkat+0x96/0x100 [ 9.582246] do_syscall_64+0xce/0x650 [ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0 [ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10 [ 9.582254] ? do_syscall_64+0x114/0x650 [ 9.582255] ? ksys_read+0xfc/0x1d0 [ 9.582258] ? __pfx_ksys_read+0x10/0x10 [ 9.582260] ? do_syscall_64+0x114/0x650 [ 9.582262] ? do_syscall_64+0x114/0x650 [ 9.582264] ? __pfx_fput_close_sync+0x10/0x10 [ 9.582266] ? file_close_fd_locked+0x178/0x2a0 [ 9.582268] ? __x64_sys_faccessat2+0x96/0x100 [ 9.582269] ? __x64_sys_close+0x7d/0xd0 [ 9.582271] ? do_syscall_64+0x114/0x650 [ 9.582273] ? do_syscall_64+0x114/0x650 [ 9.582275] ? clear_bhb_loop+0x50/0xa0 [ 9.582277] ? clear_bhb_l ---truncated---
AnalysisAI
Improper handling of allocation-profiling codetags in the Linux kernel's mm/alloc_tag subsystem causes an 'alloc_tag was not set' WARNING when pages allocated before page_ext initialization are later freed, because their codetag reference was never set. This affects local systems running kernels built with the debug option CONFIG_MEM_ALLOC_PROFILING_DEBUG and with mem_profiling_compressed disabled, and is triggered by ordinary boot-time activity (e.g. KASAN quarantine reclaim freeing early-allocated pages). It is classified under CWE-415 (double free) but the observed effect is a kernel warning splat; there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Technical ContextAI
The affected component is the kernel memory allocation profiling infrastructure (mm/alloc_tag), which relies on page_ext to store per-page 'codetag' metadata attributing allocations to their source location. Because page_ext is initialized relatively late during boot, some pages are allocated and freed before it is available - for example init_section_page_ext() -> alloc_page_ext() -> kmemleak_alloc() can fall back to the buddy allocator when the slab cache has no free objects. Those pages carry no codetag, so when they are later freed (here via KASAN quarantine reduction: kasan_quarantine_reduce -> qlist_free_all -> __free_frozen_pages -> __pgalloc_tag_sub) the assertion at include/linux/alloc_tag.h:164 fires. The fix records such early pages in a fixed 8192-entry global array and clears their codetag to empty once page_ext initialization completes, warning if the array overflows. The CWE-415 (double free) label describes the mismatched alloc/free accounting of the codetag reference rather than a classic exploitable heap double-free.
RemediationAI
Upgrade to a patched kernel: vendor-released patches are available in stable 6.18.27, 7.0.4, and mainline 7.1-rc1, and via distribution updates Ubuntu USN-8489-1 (https://ubuntu.com/security/notices/USN-8489-1) and USN-8488-1 (https://ubuntu.com/security/notices/USN-8488-1). If maintaining a custom kernel, apply upstream commit d5b495ba9de0, b49dfabc38ca, or 6b1842775a46 from git.kernel.org/stable. Because the warning only occurs when the kernel is built with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled, a zero-code workaround is to build or run a kernel without CONFIG_MEM_ALLOC_PROFILING_DEBUG (or enable mem_profiling_compressed); the trade-off is loss of allocation-profiling debug diagnostics, which is acceptable on production systems that do not need them. Standard production kernels that do not enable this debug option are not affected and need only routine patching.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35144
GHSA-q7fc-6xm7-37m9