CVE-2026-23432
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
mshv: Fix use-after-free in mshv_map_user_memory error path
In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic.
Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 < 34861bdc0c0196b6c2dd48f7454029407704ff6e | affected |
| Linux | Linux | b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 < 6922db250422a0dfee34de322f86b7a73d713d33 | affected |
| Linux | Linux | 6.19 | affected |
| Linux | Linux | 0 < 6.19 | unaffected |
| Linux | Linux | 6.19.10 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/34861bdc0c0196b6c2dd48f7454029407704ff6e
- https://git.kernel.org/stable/c/6922db250422a0dfee34de322f86b7a73d713d33
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.