CVE-2026-23225

EPSS 0.03%
Veröffentlicht 18.02.2026 14:53:28
Zuletzt bearbeitet 23.02.2026 04:16:01
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

sched/mmcid: Don't assume CID is CPU owned on mode switch

Shinichiro reported a KASAN UAF, which is actually an out of bounds access
in the MMCID management code.

   CPU0						CPU1
   						T1 runs in userspace
   T0: fork(T4) -> Switch to per CPU CID mode
         fixup() set MM_CID_TRANSIT on T1/CPU1
   T4 exit()
   T3 exit()
   T2 exit()
						T1 exit() switch to per task mode
						 ---> Out of bounds access.

As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the
TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in
the task and drops the CID, but it does not touch the per CPU storage.
That's functionally correct because a CID is only owned by the CPU when
the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.

Now sched_mm_cid_exit() assumes that the CID is CPU owned because the
prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the
not set ONCPU bit and then invokes clear_bit() with an insanely large
bit number because TRANSIT is set (bit 29).

Prevent that by actually validating that the CID is CPU owned in
mm_drop_cid_on_cpu().

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 81f29975631db8a78651b3140ecd0f88ffafc476

Version 007d84287c7466ca68a5809b616338214dc5b77b

Status affected

Version < 1e83ccd5921a610ef409a7d4e56db27822b4ea39

Version 007d84287c7466ca68a5809b616338214dc5b77b

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.19

Status affected

Version < 6.19

Version 0

Status unaffected

Version <= 6.19.*

Version 6.19.1

Status unaffected

Version <= *

Version 7.0-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.071

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476

https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39

https://nvd.nist.gov/vuln/detail/CVE-2026-23225

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23225

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23225

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23225