Skip to main content

Linux Kernel EUVDEUVD-2026-27738

| CVE-2026-43178 HIGH
Double Free (CWE-415)
2026-05-06 Linux GHSA-6xqc-j72q-x4c8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:33 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

procfs: fix possible double mmput() in do_procmap_query()

When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf.

AnalysisAI

Double memory management structure free (mmput) in Linux kernel procfs allows local authenticated attackers with low privileges to cause high-impact memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The flaw triggers when userspace provides an incorrectly sized buffer to the PROCMAP_QUERY interface, causing the kernel to call mmput() twice on the same mm_struct after recent code refactoring moved cleanup logic. Patch available from kernel.org stable trees for versions 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, consistent with the local attack vector requiring authenticated access and specific API interaction. No CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's procfs pseudo-filesystem, specifically the do_procmap_query() function introduced in recent kernel versions to provide userspace with detailed memory mapping information including build IDs. The affected CPE indicates a Linux kernel component vulnerability. The root cause is a use-after-free-like condition involving mm_struct reference counting: after recent refactoring, error handling for incorrectly sized build ID buffers now occurs after mmap_lock/per-VMA lock release and the first mmput() call, but the original error path still executed mmput() again. The mm_struct is the kernel's core memory management structure tracking process address spaces; calling mmput() twice on the same structure corrupts kernel memory management and can lead to arbitrary memory access. The PROCMAP_QUERY interface is relatively new, explaining why affected versions start from kernel 6.12 series forward based on EUVD version data. The vulnerability demonstrates classic cleanup path confusion following code reorganization-a common kernel bug pattern where lock ordering or resource release sequences change but not all error paths get updated consistently.

RemediationAI

Update to patched Linux kernel versions: 6.12.75 or later for 6.12.x series, 6.18.16 or later for 6.18.x series, 6.19.6 or later for 6.19.x series, or kernel 7.0 stable release. Patches are available from kernel.org stable trees at https://git.kernel.org/stable/c/f9fe092084cd04deea18747f58a2304026e76aaa (6.12 series), https://git.kernel.org/stable/c/8adaff87db143583e08eec4f4e7788f1ef8af94d (6.18 series), https://git.kernel.org/stable/c/90f5e87c9b75833b9ef3a4415b92c0247f28ab2f (6.19 series), and https://git.kernel.org/stable/c/61dc9f776705d6db6847c101b98fa4f0e9eb6fa3 (mainline). The fix corrects the goto error path in do_procmap_query() to skip the second mmput() call when buffer size validation fails. If immediate patching is not feasible, consider restricting unprivileged local user access to systems running affected kernels, though this significantly impacts usability and is not a sustainable mitigation. No effective workaround exists to disable the vulnerable code path without kernel recompilation, as procfs is core kernel functionality. Organizations using long-term support kernels should check with their distribution vendor (Red Hat, Ubuntu, SUSE, Debian) for backported patches to their supported kernel versions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27738 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy