Skip to main content

Linux EUVDEUVD-2026-15372

| CVE-2026-23380 MEDIUM
Reachable Assertion (CWE-617)
2026-03-25 Linux GHSA-q6xr-q445-2xxh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
3.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15372
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix WARN_ON in tracing_buffers_mmap_close

When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON.

Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork.

Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.

AnalysisAI

A reference counting vulnerability in the Linux kernel's tracing subsystem causes a WARN_ON to trigger when a process forks and both parent and child processes exit, particularly when the application calls madvise(MADV_DOFORK) to enable VMA copy-on-fork behavior. The vulnerability affects all Linux kernel versions with the vulnerable tracing_buffers_mmap code and allows local attackers to cause a kernel warning that may lead to denial of service or information disclosure through the kernel warning itself. While not currently listed in KEV or known to be actively exploited, the vulnerability has been patched in stable kernel branches as indicated by four separate commit references.

Technical ContextAI

The vulnerability exists in the Linux kernel's tracing infrastructure, specifically in the tracing_buffers_mmap_close() function which manages memory-mapped access to kernel tracing buffers. When a VMA (Virtual Memory Area) is created for tracing buffers, the VM_DONTCOPY flag is set by default to prevent child processes from inheriting the mapping. However, when an application explicitly calls madvise(MADV_DOFORK), this flag is reset, allowing the child process to copy the parent's VMA. The root cause is a missing reference count increment in the VMA's open callback—when a VMA is copied during fork, the user_mapped counter is not incremented, leading to a mismatch: the parent process decrements the counter on exit, then the child process attempts to decrement an already-zero counter, triggering -ENODEV and a WARN_ON. The affected product is the Linux kernel across all versions (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). This is fundamentally a reference counting error (CWE class: improper resource management).

RemediationAI

Update the Linux kernel to a version that includes one of the four referenced patches (91f3e8d84c89918769e71393f839c9fefadc2580, cdd96641b64297a2db42676f051362b76280a58b, b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0, or e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e) available from https://git.kernel.org/stable/. Most Linux distributions will include the fix in their next kernel maintenance release. Until patching is possible, mitigate by ensuring applications do not call madvise(MADV_DOFORK) on memory-mapped tracing buffers—this is an unusual operation typically only performed by low-level debugging or tracing tools. For production systems where kernel updates must wait for distribution release cycles, consider disabling user-space access to kernel tracing buffers via appropriate seccomp rules or by restricting /sys/kernel/debug/tracing permissions to trusted users only.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy