Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-priv access (AV:L/PR:L); race timing makes AC:H; impact is memory corruption causing integrity/availability loss (I:H/A:H) with no real disclosure (C:N).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
dm cache policy smq: check allocation under invalidate lock
commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks") added mq->lock around the destructive part of smq_invalidate_mapping(), but left the e->allocated check outside the critical section.
That leaves a check-then-act race. Two concurrent invalidators can both observe e->allocated as true before either of them takes mq->lock. The first invalidator that acquires the lock removes the entry from the queues and hash table and then calls free_entry(), which clears e->allocated and puts the entry back on the free list. The second invalidator can then acquire mq->lock and continue with the stale result of the unlocked check.
This can corrupt the SMQ queues or hash table by deleting an entry that is no longer on those structures. It can also hit the allocation check in free_entry() when the same entry is freed again.
Move the allocation check under mq->lock so the predicate and the destructive operations are serialized by the same lock.
AnalysisAI
Local privilege-escalation/memory-corruption in the Linux kernel device-mapper dm-cache 'smq' policy allows a low-privileged local user to trigger a check-then-act race in smq_invalidate_mapping(). The e->allocated predicate was evaluated outside mq->lock, so two concurrent cache-block invalidators can both see an entry as allocated and free it twice, corrupting the SMQ queues/hash table and tripping the allocation assertion in free_entry(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the system to be running the device-mapper dm-cache target configured with the smq cache replacement policy, and the attacker must be a local low-privileged user (CVSS PR:L) able to initiate concurrent cache-block invalidation operations on that cache. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent in pointing to a real but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host using dm-cache with the smq policy, a low-privileged local user with the ability to trigger cache-block invalidations races two concurrent invalidation operations against the same entry. Both observe the entry as allocated before either takes mq->lock, leading to a double free_entry() and corruption of the SMQ queues/hash table - crashing the kernel or potentially enabling further escalation. … |
| Remediation | Apply the vendor-released stable kernel update for your tree: upgrade to 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (or later) as appropriate, which moves the e->allocated allocation check under mq->lock so the predicate and destructive operations are serialized. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Linux systems using device-mapper dm-cache and identify kernel versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39216
GHSA-257g-7vrp-j9f8