CVE-2026-23195 (GCVE-0-2026-23195)

Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI
Title
cgroup/dmem: avoid pool UAF
Summary
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Allocated by task 527: Freed by task 0: The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600) The buggy address belongs to the physical page: Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete). This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.
Severity
7 (High)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: b168ed458ddecc176f3b9a1f4bcd83d7a4541c14 , < d3081353acaa6a638dcf75726066ea556a2de8d5 (git)
Affected: b168ed458ddecc176f3b9a1f4bcd83d7a4541c14 , < 99a2ef500906138ba58093b9893972a5c303c734 (git)
Create a notification for this product.
Linux Linux Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.18.10 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/cgroup/dmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3081353acaa6a638dcf75726066ea556a2de8d5",
              "status": "affected",
              "version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14",
              "versionType": "git"
            },
            {
              "lessThan": "99a2ef500906138ba58093b9893972a5c303c734",
              "status": "affected",
              "version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/cgroup/dmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.10",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: avoid pool UAF\n\nAn UAF issue was observed:\n\nBUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150\nWrite of size 8 at addr ffff888106715440 by task insmod/527\n\nCPU: 4 UID: 0 PID: 527 Comm: insmod    6.19.0-rc7-next-20260129+ #11\nTainted: [O]=OOT_MODULE\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x82/0xd0\nkasan_report+0xca/0x100\nkasan_check_range+0x39/0x1c0\npage_counter_uncharge+0x65/0x150\ndmem_cgroup_uncharge+0x1f/0x260\n\nAllocated by task 527:\n\nFreed by task 0:\n\nThe buggy address belongs to the object at ffff888106715400\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 64 bytes inside of\nfreed 512-byte region [ffff888106715400, ffff888106715600)\n\nThe buggy address belongs to the physical page:\n\nMemory state around the buggy address:\nffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\t\t\t\t     ^\nffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThe issue occurs because a pool can still be held by a caller after its\nassociated memory region is unregistered. The current implementation frees\nthe pool even if users still hold references to it (e.g., before uncharge\noperations complete).\n\nThis patch adds a reference counter to each pool, ensuring that a pool is\nonly freed when its reference count drops to zero."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:09.809Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734"
        }
      ],
      "title": "cgroup/dmem: avoid pool UAF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23195",
    "datePublished": "2026-02-14T16:27:21.621Z",
    "dateReserved": "2026-01-13T15:37:45.985Z",
    "dateUpdated": "2026-05-11T22:02:09.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23195",
      "date": "2026-05-25",
      "epss": "0.00019",
      "percentile": "0.05566"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23195\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T17:15:57.337\",\"lastModified\":\"2026-04-03T14:16:26.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncgroup/dmem: avoid pool UAF\\n\\nAn UAF issue was observed:\\n\\nBUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150\\nWrite of size 8 at addr ffff888106715440 by task insmod/527\\n\\nCPU: 4 UID: 0 PID: 527 Comm: insmod    6.19.0-rc7-next-20260129+ #11\\nTainted: [O]=OOT_MODULE\\nCall Trace:\\n\u003cTASK\u003e\\ndump_stack_lvl+0x82/0xd0\\nkasan_report+0xca/0x100\\nkasan_check_range+0x39/0x1c0\\npage_counter_uncharge+0x65/0x150\\ndmem_cgroup_uncharge+0x1f/0x260\\n\\nAllocated by task 527:\\n\\nFreed by task 0:\\n\\nThe buggy address belongs to the object at ffff888106715400\\nwhich belongs to the cache kmalloc-512 of size 512\\nThe buggy address is located 64 bytes inside of\\nfreed 512-byte region [ffff888106715400, ffff888106715600)\\n\\nThe buggy address belongs to the physical page:\\n\\nMemory state around the buggy address:\\nffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\nffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n\u003effff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\\t\\t\\t\\t     ^\\nffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\nffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\\nThe issue occurs because a pool can still be held by a caller after its\\nassociated memory region is unregistered. The current implementation frees\\nthe pool even if users still hold references to it (e.g., before uncharge\\noperations complete).\\n\\nThis patch adds a reference counter to each pool, ensuring that a pool is\\nonly freed when its reference count drops to zero.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\ncgroup/dmem: evitar UAF de pool\\n\\nSe observ\u00f3 un problema de UAF:\\n\\nERROR: KASAN: slab-uso despu\u00e9s de liberaci\u00f3n en page_counter_uncharge+0x65/0x150\\nEscritura de tama\u00f1o 8 en addr ffff888106715440 por la tarea insmod/527\\n\\nCPU: 4 UID: 0 PID: 527 Comm: insmod    6.19.0-rc7-next-20260129+ #11\\nTainted: [O]=OOT_MODULE\\nTraza de Llamada:\\n\\ndump_stack_lvl+0x82/0xd0\\nkasan_report+0xca/0x100\\nkasan_check_range+0x39/0x1c0\\npage_counter_uncharge+0x65/0x150\\ndmem_cgroup_uncharge+0x1f/0x260\\n\\nAsignado por la tarea 527:\\n\\nLiberado por la tarea 0:\\n\\nLa direcci\u00f3n err\u00f3nea pertenece al objeto en ffff888106715400\\nque pertenece a la cach\u00e9 kmalloc-512 de tama\u00f1o 512\\nLa direcci\u00f3n err\u00f3nea est\u00e1 ubicada 64 bytes dentro de\\nregi\u00f3n liberada de 512 bytes [ffff888106715400, ffff888106715600)\\n\\nLa direcci\u00f3n err\u00f3nea pertenece a la p\u00e1gina f\u00edsica:\\n\\nEstado de la memoria alrededor de la direcci\u00f3n err\u00f3nea:\\nffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\nffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n\u0026gt;ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\\t\\t\\t\\t     ^\\nffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\nffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\\nEl problema ocurre porque un pool a\u00fan puede ser retenido por un llamador despu\u00e9s de que su regi\u00f3n de memoria asociada es desregistrada. La implementaci\u00f3n actual libera el pool incluso si los usuarios a\u00fan mantienen referencias a \u00e9l (p. ej., antes de que las operaciones de descarga se completen).\\n\\nEste parche a\u00f1ade un contador de referencias a cada pool, asegurando que un pool solo se libera cuando su contador de referencias llega a cero.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14\",\"versionEndExcluding\":\"6.18.10\",\"matchCriteriaId\":\"4A68C73F-9B63-4EBC-9C52-F9679DAE3D65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F71D92C0-C023-48BD-B3B6-70B638EEE298\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"13580667-0A98-40CC-B29F-D12790B91BDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB5B7DFC-C36B-45D8-922C-877569FDDF43\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.