CVE-2026-23416
Received Received - Intake
Incorrect VMA End Handling in Linux Kernel Memory Management

Publication date: 2026-04-02

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/mseal: update VMA end correctly on merge Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA. However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_start on the next iteration. Resolve the issue by setting curr_end to vma->vm_end unconditionally to ensure this value remains updated should this occur. While we're here, eliminate this entire class of bug by simply setting const curr_[start/end] to be clamped to the input range and VMAs, which also happens to simplify the logic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23416
EUVD
EUVD-2026-18198
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.17
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.17.1 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is related to the Linux kernel's memory management, specifically in the mm/mseal component. The issue arises from how the end of the current Virtual Memory Area (VMA) was tracked during iteration. Previously, the code stored the end of the current VMA in a variable called curr_end and then updated the start of the next VMA (curr_start) to this value. However, if a VMA was modified and merged by the function vma_modify_flags(), curr_end could become outdated (stale). This caused curr_start to be set incorrectly on the next iteration, potentially leading to errors in memory area handling.

The fix involved always updating curr_end to the current VMA's vm_end value unconditionally, ensuring it remains accurate even after merges. Additionally, the logic was simplified by clamping curr_start and curr_end to the input range and VMAs, eliminating this class of bugs.

Impact Analysis

This vulnerability in the Linux kernel's memory management subsystem could lead to incorrect handling of virtual memory areas (VMAs) during iteration and merging. Specifically, the end address of a VMA might be stale, causing the next VMA's start address to be set incorrectly. This can result in improper memory management behavior, potentially leading to system instability or unexpected behavior in applications relying on accurate memory mappings.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart