CVE-2026-23380

Summary

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix WARN_ON in tracing_buffers_mmap_close

When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON.

Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork.

Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxcf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 < 91f3e8d84c89918769e71393f839c9fefadc2580affected
LinuxLinuxcf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 < cdd96641b64297a2db42676f051362b76280a58baffected
LinuxLinuxcf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 < b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0affected
LinuxLinuxcf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 < e39bb9e02b68942f8e9359d2a3efe7d37ae6be0eaffected
LinuxLinux6.10affected
LinuxLinux0 < 6.10unaffected
LinuxLinux6.12.77 <= 6.12.*unaffected
LinuxLinux6.18.17 <= 6.18.*unaffected
LinuxLinux6.19.7 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References