CVE-2026-23056 - Vulnerability Details

- uacce: implement mremap in uacce_vm_ops to return -EPERM

Description

In the Linux kernel, the following vulnerability has been resolved:

uacce: implement mremap in uacce_vm_ops to return -EPERM

The current uacce_vm_ops does not support the mremap operation of
vm_operations_struct. Implement .mremap to return -EPERM to remind
users.

The reason we need to explicitly disable mremap is that when the
driver does not implement .mremap, it uses the default mremap
method. This could lead to a risk scenario:

An application might first mmap address p1, then mremap to p2,
followed by munmap(p1), and finally munmap(p2). Since the default
mremap copies the original vma's vm_private_data (i.e., q) to the
new vma, both munmap operations would trigger vma_close, causing
q->qfr to be freed twice(qfr will be set to null here, so repeated
release is ok).

Published: 2026-02-04

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The uacce driver in the Linux kernel lacks a mremap operation in its vm_ops structure. Without an explicit handler, the kernel defaults to a generic mremap routine that copies the original VMA’s private data to a new VMA. If an application maps a region, remaps it, and then unmaps both the original and remapped areas, the default behavior causes the driver’s q->qfr resource to be released twice. Although the driver subsequently nulls the pointer to avoid a repeated release, the double‑free risk remains a classic vulnerability that could be leveraged to corrupt memory or crash the system. Signalling EPERM prevents this scenario but requires an upgrade.

Affected Systems

Linux Kernel, specifically the uacce driver component. No specific kernel version numbers are provided in the advisory, but the issue exists in any kernel revision lacking the mremap implementation for the uacce driver. The advisory references multiple Git commits that introduce the fix, indicating the problem was present in the mainline kernel up to the latest stable release at the time of the advisory.

Risk and Exploitability

The Exploit Prediction Scoring System (EPSS) indicates a probability of exploitation less than 1%, placing the risk in the very low range. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue, suggesting that no public, active exploitation has been documented. The absence of a CVSS score in the advisory makes it difficult to quantify severity precisely, but the potential for a double‑free memory corruption and the local nature of the required calls point toward a moderate to high impact if exploited. Nonetheless, because the default behavior mitigates some aspects (nulling the pointer) and because available systems are expected to apply the fix soon, the immediate threat level remains low. However, it is advisable to apply the available patch promptly, as a double‑free can lead to denial of service or, in some contexts, privilege escalation if the corrupted memory can be leveraged.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< 78d99f062d42e3af2ca46bde1a8e46e0dfd372e3
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< ebfa85658a39b49ec3901ceea7535b73aa0429e6
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< 75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< 4c042bc71474dbe417c268f4bfb8ec196f802f07
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< a407ddd61b3e6afc5ccfcd1478797171cf5686ee
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< ba29b59d124e725e0377f09b2044909c91d657a1
`015d239ac0142ad0e26567fd890ef8d171f13709`	affected	< 02695347be532b628f22488300d40c4eba48b9b7

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.249`	unaffected	≤ 5.10.*
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.68`	unaffected	≤ 6.12.*
`6.18.8`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Linux kernel patch that adds a .mremap entry returning -EPERM to the uacce driver’s vm_ops structure using the commit references provided in the advisory.
Rebuild and install the kernel containing the patch, ensuring the uacce driver is linked against the updated vm_ops code. Verify that the driver is loaded from the patched kernel image.
If upgrading the kernel is not immediately feasible, disable or restrict the use of the uacce device in user applications so that mmap/mremap sequences cannot be executed against it, thereby eliminating the double‑free risk until a patch can be applied.

Generated by OpenCVE AI on April 18, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4475-1	linux security update
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8162-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8180-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8186-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8187-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8188-1	Linux kernel (HWE) vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7
https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07
https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f
https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3
https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee
https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1
https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6
https://lore.kernel.org/linux-cve-announce/2026020413-CVE-2026-23056-ddc8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23056
https://www.cve.org/CVERecord?id=CVE-2026-23056

History

Sat, 18 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3 https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6

Thu, 05 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026020413-CVE-2026-23056-ddc8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23056 https://www.cve.org/CVERecord?id=CVE-2026-23056

Wed, 04 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok).
Title		uacce: implement mremap in uacce_vm_ops to return -EPERM
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7 https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07 https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-04T16:07:34.787Z

Updated: 2026-02-09T08:37:54.328Z

Reserved: 2026-01-13T15:37:45.951Z

Link: CVE-2026-23056

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-02-04T17:16:16.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23056

Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23056 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object