In the Linux kernel, the following vulnerability has been resolved:
mm/vma: fix memory leak in _mmapregion()
commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmapprepare swaps the file") handled the success path by skipping getfile() via filedoesntneed_get, but missed the error path.
When /dev/zero is mmap'd with MAPSHARED, mmapzeroprepare() calls shmemzerosetupdesc() which allocates a new shmem file to back the mapping. If __mmapnewvma() subsequently fails, this replacement file is never fput()'d - the original is released by ksysmmappgoff(), but nobody releases the new one.
Add fput() for the swapped file in the error path.
Reproducible with fault injection.
FAULTINJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, archcaps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x164/0x1f0 shouldfailex+0x525/0x650 shouldfailslab+0xdf/0x140 kmemcacheallocnoprof+0x78/0x630 vmareaalloc+0x24/0x160 __mmapregion+0xf6b/0x2660 mmapregion+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vmmmappgoff+0x252/0x4c0 ksysmmappgoff+0xf8/0x120 __x64sysmmap+0x12a/0x190 dosyscall64+0xa9/0x580 entrySYSCALL64afterhwframe+0x76/0x7e </TASK>
kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881118aca80 (size 360): comm "syz.7.14", pid 366, jiffies 4294913255 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M..... backtrace (crc db0f53bc): kmemcacheallocnoprof+0x3ab/0x630 allocemptyfile+0x5a/0x1e0 allocfile_pseudo+0x135/0x220 __shmemfilesetup+0x274/0x420 shmemzerosetupdesc+0x9c/0x170 mmapzero_prepare+0x123/0x140 __mmapregion+0xdda/0x2660 mmapregion+0x2eb/0x3a0 dommap+0xc79/0x1240 vmmmappgoff+0x252/0x4c0 ksysmmap_pgoff+0xf8/0x120 __x64sysmmap+0x12a/0x190 dosyscall64+0xa9/0x580 entrySYSCALL64afterhwframe+0x76/0x7e
Found by syzkaller.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31654.json"
}