Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access to a test-only module with low privileges (PR:L); race-like fault ordering raises AC:H; availability is the dominant impact (panic), with limited C/I from UAF.
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
lib: test_hmm: evict device pages on file close to avoid use-after-free
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.
AnalysisAI
Use-after-free in the Linux kernel's HMM (Heterogeneous Memory Management) test driver (lib/test_hmm) allows local users to trigger a kernel panic and potentially escalate privileges when device private pages are faulted in after the dmirror file descriptor is closed. The flaw was discovered during arm64 selftest runs where a SIGABRT coredump walked stale VMAs and dereferenced a dangling zone_device_data pointer. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees.
Technical ContextAI
The affected component is lib/test_hmm.c, the kernel selftest module for HMM device private memory used to validate the migrate_to_ram fault path for ZONE_DEVICE pages. On dmirror_fops_release(), the dmirror struct was being freed without first calling dmirror_device_evict_chunk() to migrate device private pages back to system memory, so the page->zone_device_data pointer continued to reference freed memory. A later page fault - for example during coredump VMA walking - invoked dmirror_devmem_fault() on those stale pages, dereferencing the dangling pointer. This is a classic CWE-416 (Use After Free) condition rooted in resource lifecycle mismanagement between file release and device-memory page ownership. Affected CPE strings are cpe:2.3:a:linux:linux:*, and the bug is present in kernels that build the HMM selftest module (CONFIG_TEST_HMM), which is typically only enabled on test/QA kernels rather than production distributions.
RemediationAI
Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) depending on your stable series, per the kernel.org stable commits at https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1, https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3, https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239, https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144, and https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0. As a compensating control until rebuild, set CONFIG_TEST_HMM=n and rebuild the kernel - this removes the vulnerable module entirely at the cost of losing HMM selftest coverage on that host; if rebuilding is not possible, blacklist the test_hmm module via /etc/modprobe.d and restrict permissions on /dev/hmm_dmirror* device nodes to root only, with the side effect of breaking any local HMM test tooling. Avoid generating coredumps from processes that have mapped HMM device-private pages on unpatched test kernels, since coredump-triggered faults are the specific path that surfaces the UAF.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Affected |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP7 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Legacy 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Legacy 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Affected |
| SUSE Linux Enterprise Real Time 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Real Time Module 15 SP7 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Live Patching 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Live Patching 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Live Patching 15 SP4 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP4 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP5 | Affected |
| SUSE Linux Enterprise Live Patching 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE CaaS Platform 4.0 | Not-Affected |
| SUSE Enterprise Storage 6 | Not-Affected |
| SUSE Enterprise Storage 7 | Not-Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise Desktop 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Micro 5.0 | Not-Affected |
| SUSE Linux Enterprise Micro 5.1 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Affected |
| SUSE Linux Enterprise Micro 5.2 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Real Time 15 SP5 | Affected |
| SUSE Linux Enterprise Server 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Not-Affected |
| SUSE Manager Proxy 4.1 | Not-Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Not-Affected |
| SUSE Manager Retail Branch Server 4.1 | Not-Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Not-Affected |
| SUSE Manager Server 4.1 | Not-Affected |
| SUSE Manager Server 4.2 | Affected |
| SUSE OpenStack Cloud 9 | Not-Affected |
| SUSE OpenStack Cloud Crowbar 9 | Not-Affected |
| SUSE Real Time Module 15 SP4 | Affected |
| SUSE Real Time Module 15 SP5 | Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35145
GHSA-vjjg-r28q-g2g4