CVE-2026-23415
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
02/04/2026
Last modified:
27/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()<br />
<br />
During futex_key_to_node_opt() execution, vma->vm_policy is read under<br />
speculative mmap lock and RCU. Concurrently, mbind() may call<br />
vma_replace_policy() which frees the old mempolicy immediately via<br />
kmem_cache_free().<br />
<br />
This creates a race where __futex_key_to_node() dereferences a freed<br />
mempolicy pointer, causing a use-after-free read of mpol->mode.<br />
<br />
[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)<br />
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87<br />
<br />
[ 151.415969] Call Trace:<br />
<br />
[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)<br />
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)<br />
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)<br />
<br />
Fix by adding rcu to __mpol_put().
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.16.1 (including) | 6.18.21 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page