CVE-2026-23195
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup/dmem: avoid pool UAF
An UAF issue was observed:
BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527
CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260
Allocated by task 527:
Freed by task 0:
The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600)
The buggy address belongs to the physical page:
Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete).
This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b168ed458ddecc176f3b9a1f4bcd83d7a4541c14 < d3081353acaa6a638dcf75726066ea556a2de8d5 | affected |
| Linux | Linux | b168ed458ddecc176f3b9a1f4bcd83d7a4541c14 < 99a2ef500906138ba58093b9893972a5c303c734 | affected |
| Linux | Linux | 6.14 | affected |
| Linux | Linux | 0 < 6.14 | unaffected |
| Linux | Linux | 6.18.10 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5
- https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.