Skip to main content

Linux EUVDEUVD-2026-18198

| CVE-2026-23416 MEDIUM
2026-04-02 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 12:00 euvd
EUVD-2026-18198
Analysis Generated
Apr 02, 2026 - 12:00 vuln.today
CVE Published
Apr 02, 2026 - 11:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/mseal: update VMA end correctly on merge

Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA.

However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_start on the next iteration.

Resolve the issue by setting curr_end to vma->vm_end unconditionally to ensure this value remains updated should this occur.

While we're here, eliminate this entire class of bug by simply setting const curr_[start/end] to be clamped to the input range and VMAs, which also happens to simplify the logic.

AnalysisAI

Memory sealing (mseal) in the Linux kernel incorrectly tracks virtual memory area (VMA) boundaries during merge operations, causing curr_end to become stale and resulting in incorrect iteration state. This flaw in mm/mseal.c affects Linux kernel versions where the mseal feature is present, allowing local attackers to potentially bypass memory sealing protections or trigger information disclosure by manipulating VMA merge behavior during seal operations.

Technical ContextAI

The vulnerability resides in the Linux kernel's memory sealing (mseal) subsystem, specifically in the virtual memory area (VMA) iteration logic used to apply seal flags across a range of memory. The mseal feature is a security mechanism that prevents processes from modifying memory protections on sealed regions. The root cause is a state-tracking bug where the code caches the end boundary of the current VMA (curr_end) but fails to update this value when vma_modify_flags() performs a VMA merge operation. When the loop advances by setting curr_start = curr_end, it uses stale boundary data, leading to incorrect VMA ranges being processed. The fix consolidates boundary tracking by unconditionally updating curr_end to vma->vm_end after each iteration and converting curr_start and curr_end to const values clamped to both the input range and individual VMA extents, eliminating the class of state-consistency bugs entirely.

RemediationAI

Apply the upstream fix from the stable kernel branch by pulling the corrected mm/mseal.c logic that unconditionally updates curr_end to vma->vm_end and converts curr_start and curr_end to const values clamped to input ranges. Kernel distributions should update to stable releases incorporating commits 40b3f4700e5535fbe74738cebb9379a40ec66bed, 83737e34b83a23b2a9bcf586b058b2c2a54c7c6b, or 2697dd8ae721db4f6a53d4f4cbd438212a80f8dc. For systems unable to upgrade immediately, disable mseal at compile time or via kernel parameters if the feature is not required by workloads. Consult your Linux distribution's security advisory for the recommended stable kernel version incorporating this fix and apply updates through your distribution's patch management process.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid vulnerable 6.19.10-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy