CVE-2026-23415
Received Received - Intake
Use-After-Free in Linux Kernel futex Causes Potential Memory Corruption

Publication date: 2026-04-02

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23415
EUVD
EUVD-2026-18196
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.16.1 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UaF) issue in the Linux kernel's futex subsystem. It occurs because during the execution of the function futex_key_to_node_opt(), the kernel reads a memory policy pointer (vma->vm_policy) under a speculative mmap lock and RCU (Read-Copy-Update). At the same time, another function, mbind(), may call vma_replace_policy(), which frees the old memory policy immediately. This creates a race condition where futex_key_to_node_opt() dereferences a pointer to memory that has already been freed, leading to a use-after-free read.

The issue was identified by kernel address sanitizer (KASAN) detecting a slab-use-after-free in __futex_key_to_node, which reads from freed memory, potentially causing kernel instability or crashes.

The fix involved adding RCU handling to the __mpol_put() function to properly manage the lifecycle of the memory policy objects and prevent premature freeing.

Impact Analysis

This use-after-free vulnerability in the Linux kernel's futex subsystem can lead to kernel crashes or instability due to dereferencing freed memory. Such instability can cause denial of service (DoS) conditions on affected systems.

In some cases, use-after-free vulnerabilities can be exploited to execute arbitrary code or escalate privileges, although this specific CVE description does not explicitly mention exploitation beyond causing crashes.

Detection Guidance

This vulnerability manifests as a use-after-free (UaF) in the Linux kernel futex subsystem, which can be detected by observing kernel logs for specific error messages related to KASAN (Kernel Address Sanitizer).

Look for kernel log entries similar to the following, which indicate the presence of the issue:

  • [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
  • [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

To check for these messages, you can use the following commands on your system:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan

These commands search the kernel logs for KASAN-related errors that indicate use-after-free bugs in the futex subsystem.

Mitigation Strategies

The vulnerability is fixed by a patch that adds RCU (Read-Copy-Update) protection to the __mpol_put() function, preventing the use-after-free condition.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Monitor kernel updates and apply security patches promptly.
  • If updating immediately is not possible, consider limiting or isolating workloads that heavily use futex and mbind system calls to reduce exposure.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23415. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart