Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access and cgroup-manipulation privileges give AV:L/PR:L; winning a narrow reparent race window justifies AC:H; kernel list corruption yields full C/I/A impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
mm/list_lru: drain before clearing xarray entry on reparent
memcg_reparent_list_lrus() clears the dying memcg's xarray entry with xas_store(&xas, NULL) before reparenting its per-node lists into the parent. This opens a window where a concurrent list_lru_del() arriving for the dying memcg sees xa_load() == NULL, walks to the parent in lock_list_lru_of_memcg(), takes the parent's per-node lock, and calls list_del_init() on an item still physically linked on the dying memcg's list.
If another in-flight thread holds the dying memcg's per-node lock at the same moment (another list_lru_del, or a list_lru_walk_one running an isolate callback), both threads modify ->next/->prev pointers on the same physical list under different locks. Adjacent items can corrupt each other's links.
Fix it by reversing the order: reparent each per-node list and mark the child's list lru dead and then clear the xarray entry. Any concurrent list_lru op that finds the still-set xarray entry either takes the dying memcg's per-node lock (synchronizing with the drain) or sees LONG_MIN and walks to the parent, where the items now live.
AnalysisAI
Kernel memory corruption in the Linux memory-management list_lru subsystem (memory cgroup reparenting path) allows a local user to corrupt linked-list pointers and destabilize or potentially escalate privileges on the system. The flaw is a race condition in memcg_reparent_list_lrus(), affecting kernels from 6.13 onward; it carries CVSS 7.8 (High) with full confidentiality, integrity and availability impact but a low EPSS of 0.17% (7th percentile). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution on the host and the ability to create/destroy memory cgroups (memcg) - e.g., via delegated cgroup v2 subtrees or unprivileged user namespaces - so that memcg_reparent_list_lrus() runs while the attacker concurrently drives list_lru_del() or list_lru_walk_one() operations against the dying cgroup. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 High) reflects a local, low-privilege flaw with high impact, consistent with kernel memory corruption that can lead to denial of service or potential privilege escalation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged or low-privileged user repeatedly creates and destroys memory cgroups while simultaneously generating heavy reclaimable-object churn (e.g., dentry/inode pressure) to force concurrent list_lru_del operations during reparenting. By winning the race window, the attacker corrupts kernel linked-list pointers, causing a kernel panic (DoS) or, with sufficient heap-grooming control, a memory-corruption primitive that could be developed toward privilege escalation. … |
| Remediation | Upstream fix available (commits), released patched version reported by EUVD as 6.18.36 and 7.0.13 on their respective stable branches - upgrade to a stable kernel that contains commit 2b66496d794e98f7aeec7688573051f22ec40bac, 98733f3f0becb1ae0701d021c1748e974e5fa55c, or c19ff4351214f059349788e13e70e74325831ff6 as appropriate to your branch (see https://git.kernel.org/stable/c/2b66496d794e98f7aeec7688573051f22ec40bac and the two sibling commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Linux kernel versions 6.13 or later across your infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Linux
View allIn Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2
Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable memory corruption vulnerability in the Advanced V
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.
Adobe Flash Player versions 26.0.0.137 and earlier have an exploitable type confusion vulnerability when parsing SWF fil
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to exec
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Same weakness CWE-820 – Missing Synchronization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39244
GHSA-x5g3-hx3c-gfxx