In the Linux kernel, the following vulnerability has been resolved:
futex: Fix UaF between futexkeytonodeopt() and vmareplacepolicy()
During futexkeytonodeopt() execution, vma->vmpolicy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vmareplacepolicy() which frees the old mempolicy immediately via kmemcache_free().
This creates a race where _futexkeytonode() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode.
[ 151.412631] BUG: KASAN: slab-use-after-free in _futexkeytonode (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87
[ 151.415969] Call Trace:
[ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] _futexkeytonode (kernel/futex/core.c:349) [ 151.416822] getfutexkey (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)
Fix by adding rcu to _mpolput().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23415.json",
"cna_assigner": "Linux"
}