CVE-2026-23415
Use-After-Free in Linux Kernel futex Causes Potential Memory Corruption
Publication date: 2026-04-02
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.16.1 (inc) to 6.18.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free (UaF) issue in the Linux kernel's futex subsystem. It occurs because during the execution of the function futex_key_to_node_opt(), the kernel reads a memory policy pointer (vma->vm_policy) under a speculative mmap lock and RCU (Read-Copy-Update). At the same time, another function, mbind(), may call vma_replace_policy(), which frees the old memory policy immediately. This creates a race condition where futex_key_to_node_opt() dereferences a pointer to memory that has already been freed, leading to a use-after-free read.
The issue was identified by kernel address sanitizer (KASAN) detecting a slab-use-after-free in __futex_key_to_node, which reads from freed memory, potentially causing kernel instability or crashes.
The fix involved adding RCU handling to the __mpol_put() function to properly manage the lifecycle of the memory policy objects and prevent premature freeing.
How can this vulnerability impact me? :
This use-after-free vulnerability in the Linux kernel's futex subsystem can lead to kernel crashes or instability due to dereferencing freed memory. Such instability can cause denial of service (DoS) conditions on affected systems.
In some cases, use-after-free vulnerabilities can be exploited to execute arbitrary code or escalate privileges, although this specific CVE description does not explicitly mention exploitation beyond causing crashes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a use-after-free (UaF) in the Linux kernel futex subsystem, which can be detected by observing kernel logs for specific error messages related to KASAN (Kernel Address Sanitizer).
Look for kernel log entries similar to the following, which indicate the presence of the issue:
- [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
- [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87
To check for these messages, you can use the following commands on your system:
- dmesg | grep -i kasan
- journalctl -k | grep -i kasan
These commands search the kernel logs for KASAN-related errors that indicate use-after-free bugs in the futex subsystem.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by a patch that adds RCU (Read-Copy-Update) protection to the __mpol_put() function, preventing the use-after-free condition.
Immediate mitigation steps include:
- Update your Linux kernel to a version that includes the fix for this vulnerability.
- Monitor kernel updates and apply security patches promptly.
- If updating immediately is not possible, consider limiting or isolating workloads that heavily use futex and mbind system calls to reduce exposure.