CVE-2026-23195
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in Linux Kernel cgroup/dmem Component

Publication date: 2026-02-14

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Allocated by task 527: Freed by task 0: The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600) The buggy address belongs to the physical page: Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete). This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23195
EUVD
EUVD-2026-5849
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.14 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

This vulnerability is a Use-After-Free (UAF) issue in the Linux kernel's cgroup/dmem subsystem. It occurs because a memory pool can still be referenced by a caller even after its associated memory region has been unregistered and freed. The current implementation frees the pool even if users still hold references to it, which can lead to accessing freed memory.

The problem was observed as a slab-use-after-free error detected by KASAN (Kernel Address Sanitizer) during a write operation. The fix involves adding a reference counter to each pool to ensure that the pool is only freed when no references remain.

Impact Analysis

This vulnerability can lead to memory corruption or instability in the Linux kernel, potentially causing crashes or unpredictable behavior. Since it involves use-after-free, it might be exploitable to execute arbitrary code or escalate privileges, depending on the context and attacker capabilities.

Detection Guidance

This vulnerability manifests as a use-after-free (UAF) issue in the Linux kernel's cgroup/dmem subsystem, which can trigger kernel address sanitizer (KASAN) reports. Detection typically involves monitoring kernel logs for KASAN error messages indicating slab-use-after-free in the function page_counter_uncharge.

You can check your system logs (e.g., using dmesg or journalctl) for messages similar to the following indicative of this vulnerability:

  • dmesg | grep -i 'KASAN: slab-use-after-free'
  • journalctl -k | grep -i 'page_counter_uncharge'

Additionally, monitoring for crashes or warnings related to the insmod command or kernel modules may help detect attempts to trigger this issue.

Mitigation Strategies

The vulnerability is resolved by a patch that adds a reference counter to each memory pool in the cgroup/dmem subsystem, preventing premature freeing of memory still in use.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability (post 6.19.0-rc7-next-20260129+).
  • Avoid loading untrusted or out-of-tree kernel modules (as indicated by the tainted kernel state in the report) until the patch is applied.
  • Monitor kernel logs for related errors and avoid operations that trigger the vulnerability, such as insmod commands on vulnerable kernels.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart