CVE-2026-23195

In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Allocated by task 527: Freed by task 0: The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600) The buggy address belongs to the physical page: Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete). This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734	Patch
https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

History

03 Apr 2026, 14:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 7.0

19 Mar 2026, 17:45

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734 -~~	() https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734 - Patch
References	~~() https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5 -~~	() https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5 - Patch
CWE		CWE-416
CPE		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
First Time		Linux Linux linux Kernel
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: cgroup/dmem: evitar UAF de pool Se observó un problema de UAF: ERROR: KASAN: slab-uso después de liberación en page_counter_uncharge+0x65/0x150 Escritura de tamaño 8 en addr ffff888106715440 por la tarea insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Traza de Llamada: dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Asignado por la tarea 527: Liberado por la tarea 0: La dirección errónea pertenece al objeto en ffff888106715400 que pertenece a la caché kmalloc-512 de tamaño 512 La dirección errónea está ubicada 64 bytes dentro de región liberada de 512 bytes [ffff888106715400, ffff888106715600) La dirección errónea pertenece a la página física: Estado de la memoria alrededor de la dirección errónea: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb El problema ocurre porque un pool aún puede ser retenido por un llamador después de que su región de memoria asociada es desregistrada. La implementación actual libera el pool incluso si los usuarios aún mantienen referencias a él (p. ej., antes de que las operaciones de descarga se completen). Este parche añade un contador de referencias a cada pool, asegurando que un pool solo se libera cuando su contador de referencias llega a cero.

14 Feb 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-14 17:15

Updated : 2026-04-03 14:16

NVD link : CVE-2026-23195

Mitre link : CVE-2026-23195

CVE.ORG link : CVE-2026-23195

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.0 /10