CVE-2026-23225

EPSS 0.02%
Veröffentlicht 18.02.2026 14:53:28
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

sched/mmcid: Don't assume CID is CPU owned on mode switch

In the Linux kernel, the following vulnerability has been resolved:

sched/mmcid: Don't assume CID is CPU owned on mode switch

Shinichiro reported a KASAN UAF, which is actually an out of bounds access
in the MMCID management code.

   CPU0						CPU1
   						T1 runs in userspace
   T0: fork(T4) -> Switch to per CPU CID mode
         fixup() set MM_CID_TRANSIT on T1/CPU1
   T4 exit()
   T3 exit()
   T2 exit()
						T1 exit() switch to per task mode
						 ---> Out of bounds access.

As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the
TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in
the task and drops the CID, but it does not touch the per CPU storage.
That's functionally correct because a CID is only owned by the CPU when
the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.

Now sched_mm_cid_exit() assumes that the CID is CPU owned because the
prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the
not set ONCPU bit and then invokes clear_bit() with an insanely large
bit number because TRANSIT is set (bit 29).

Prevent that by actually validating that the CID is CPU owned in
mm_drop_cid_on_cpu().

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 5

CNA 2 VulnDex Vulnerability Enrichment 6

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version 007d84287c7466ca68a5809b616338214dc5b77b

Version < 81f29975631db8a78651b3140ecd0f88ffafc476

Status affected

Version 007d84287c7466ca68a5809b616338214dc5b77b

Version < 1e83ccd5921a610ef409a7d4e56db27822b4ea39

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.19

Status affected

Version 0

Version < 6.19

Status unaffected

Version <= 6.19.*

Version 6.19.1

Status unaffected

Version <= *

Version 7.0

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.053

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476

https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39

https://nvd.nist.gov/vuln/detail/CVE-2026-23225

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23225

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23225

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23225