CVE-2026-23415

Source
https://cve.org/CVERecord?id=CVE-2026-23415
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23415.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23415
Downstream
Published
2026-04-02T11:40:56.476Z
Modified
2026-07-15T01:48:58.305472748Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
Details

In the Linux kernel, the following vulnerability has been resolved:

futex: Fix UaF between futexkeytonodeopt() and vmareplacepolicy()

During futexkeytonodeopt() execution, vma->vmpolicy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vmareplacepolicy() which frees the old mempolicy immediately via kmemcache_free().

This creates a race where _futexkeytonode() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode.

[ 151.412631] BUG: KASAN: slab-use-after-free in _futexkeytonode (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[ 151.415969] Call Trace:

[ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] _futexkeytonode (kernel/futex/core.c:349) [ 151.416822] getfutexkey (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to _mpolput().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23415.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c042c505210dc3453f378df432c10fff3d471bc5
Fixed
853f70c67d1b37e368fdcb3e328c4b8c04f53ac0
Fixed
7e196194ea27bd49adf3551e2aceb83498eb73fe
Fixed
190a8c48ff623c3d67cb295b4536a660db2012aa

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23415.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23415.json"