Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local unprivileged code execution (AV:L/PR:L); AC:H because it requires the unusual CLONE_VM-not-CLONE_THREAD pattern and winning a lifetime race; the UAF yields full C/I/A impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
futex: Drop CLONE_THREAD requirement for private default hash alloc
Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREAD. This breaks the non-concurrency assumptions when doing the mm->futex_ref pcpu allocations, leading to bugs[0] when sharing the mm in other ways; ie:
BUG: KASAN: slab-use-after-free in futex_hash_put
... where the +1 bias can end up on a percpu counter that mm->futex_ref no longer points at.
Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding vfork keeps the existing paths untouched (no overhead), and we can't race in the first place: either the parent is suspended and the child runs alone, or mm->futex_ref is already allocated from an earlier CLONE_VM.
AnalysisAI
Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to already have local code execution as at least an unprivileged user (CVSS PR:L) on an affected kernel (~6.17 through the fix). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a real-but-bounded local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user runs a crafted program that clones with CLONE_VM but not CLONE_THREAD, sharing the address space outside a normal thread group, then exercises futex operations to free and re-bias the mm->futex_ref percpu counter. The resulting use-after-free in futex_hash_put corrupts kernel slab memory, which a skilled attacker can shape into privilege escalation. … |
| Remediation | Upstream fix available (stable commits); patched versions are confirmed in the stable trees - update to a kernel containing commits 1dcd36420af2da5bd59306dba9caf78e3d248b1d / 974ac49a9a068b0591a59f65c63eb06579a13091 / ee9dce44362b2d8132c32964656ab6dff7dfbc6a (stable lines around 6.18.33 and the 7.0.10/7.1 series). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems running affected kernel versions through automated vulnerability scanning and asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38841
GHSA-9qj4-wr4g-7m6f