Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-23199

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/02/2026
Last modified:
18/02/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> procfs: avoid fetching build ID while holding VMA lock<br /> <br /> Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock<br /> or per-VMA lock, whichever was used to lock VMA under question, to avoid<br /> deadlock reported by syzbot:<br /> <br /> -&gt; #1 (&amp;mm-&gt;mmap_lock){++++}-{4:4}:<br /> __might_fault+0xed/0x170<br /> _copy_to_iter+0x118/0x1720<br /> copy_page_to_iter+0x12d/0x1e0<br /> filemap_read+0x720/0x10a0<br /> blkdev_read_iter+0x2b5/0x4e0<br /> vfs_read+0x7f4/0xae0<br /> ksys_read+0x12a/0x250<br /> do_syscall_64+0xcb/0xf80<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> -&gt; #0 (&amp;sb-&gt;s_type-&gt;i_mutex_key#8){++++}-{4:4}:<br /> __lock_acquire+0x1509/0x26d0<br /> lock_acquire+0x185/0x340<br /> down_read+0x98/0x490<br /> blkdev_read_iter+0x2a7/0x4e0<br /> __kernel_read+0x39a/0xa90<br /> freader_fetch+0x1d5/0xa80<br /> __build_id_parse.isra.0+0xea/0x6a0<br /> do_procmap_query+0xd75/0x1050<br /> procfs_procmap_ioctl+0x7a/0xb0<br /> __x64_sys_ioctl+0x18e/0x210<br /> do_syscall_64+0xcb/0xf80<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> other info that might help us debug this:<br /> <br /> Possible unsafe locking scenario:<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> rlock(&amp;mm-&gt;mmap_lock);<br /> lock(&amp;sb-&gt;s_type-&gt;i_mutex_key#8);<br /> lock(&amp;mm-&gt;mmap_lock);<br /> rlock(&amp;sb-&gt;s_type-&gt;i_mutex_key#8);<br /> <br /> *** DEADLOCK ***<br /> <br /> This seems to be exacerbated (as we haven&amp;#39;t seen these syzbot reports<br /> before that) by the recent:<br /> <br /> 777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context")<br /> <br /> To make this safe, we need to grab file refcount while VMA is still locked, but<br /> other than that everything is pretty straightforward. Internal build_id_parse()<br /> API assumes VMA is passed, but it only needs the underlying file reference, so<br /> just add another variant build_id_parse_file() that expects file passed<br /> directly.<br /> <br /> [akpm@linux-foundation.org: fix up kerneldoc]

Impact

References to Advisories, Solutions, and Tools