Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only (AV:L) non-deterministic NMI/entropy race gives AC:H; some local foothold assumed (PR:L); realistic impact is weakened randomness (C:L) and possible instability (A:L), not full triad.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
memcg: use round-robin victim selection in refill_stock
Harry Yoo reported that get_random_u32_below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context.
More specifically get_random_u32_below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg_stock local_trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock.
Replace the random pick with a per-cpu round-robin counter stored in memcg_stock_pcp and serialized by the same local_trylock that already guards cached[] and nr_pages[]. No atomics, no random calls, no extra locks needed.
AnalysisAI
Local privilege/availability weakness in the Linux kernel memory cgroup (memcg) subsystem stems from refill_stock() calling get_random_u32_below() for victim selection, a routine that is neither reentrant- nor NMI-safe. Because memcg charge draining can occur in NMI context, an NMI landing mid-update of the per-CPU batched_entropy_u32 ChaCha state could corrupt the random subsystem's per-CPU local_lock state. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Triggering requires three concurrent conditions on the same CPU: (1) the Linux kernel must perform memcg (cgroup memory) charge draining in NMI context, (2) that NMI must land precisely while the batched_entropy_u32 ChaCha state is mid-update under its local_lock, and (3) the NMI handler path must recurse into the random subsystem (get_random_u32_below). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD/kernel CVSS of 7.8 (AV:L/AC:L/PR:L/UI:N/C:H/I:H/A:H) appears to be an automated, conservative worst-case rating that overstates real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a multi-tenant or container host under heavy memory pressure, frequent NMIs (e.g., perf sampling or hardware events) coincide with memcg charge draining; an NMI fires while a CPU is mid-update of its batched ChaCha entropy state and recurses into the random subsystem, corrupting that per-CPU state. The realistic outcome is non-deterministic kernel instability or weakened per-CPU randomness rather than reliable attacker-controlled code execution. … |
| Remediation | Vendor-released patch: update to Linux kernel 7.0.13, 6.18.36, or 7.1 (or later) via your distribution's kernel update channel, which carries the upstream commits that replace get_random_u32_below() with a per-CPU round-robin counter (stable trees: https://git.kernel.org/stable/c/89bd8215e25aa6999cc51696da418e0d422bc5e0 and the related commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems and identify current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39253
GHSA-9mhf-2p25-mwm3