Description
In the Linux kernel, the following vulnerability has been resolved:

mm, shmem: prevent infinite loop on truncate race

When truncating a large swap entry, shmem_free_swap() returns 0 when the
entry's index doesn't match the given index due to lookup alignment. The
failure fallback path checks if the entry crosses the end border and
aborts when it happens, so truncate won't erase an unexpected entry or
range. But one scenario was ignored.

When `index` points to the middle of a large swap entry, and the large
swap entry doesn't go across the end border, find_get_entries() will
return that large swap entry as the first item in the batch with
`indices[0]` equal to `index`. The entry's base index will be smaller
than `indices[0]`, so shmem_free_swap() will fail and return 0 due to the
"base < index" check. The code will then call shmem_confirm_swap(), get
the order, check if it crosses the END boundary (which it doesn't), and
retry with the same index.

The next iteration will find the same entry again at the same index with
same indices, leading to an infinite loop.

Fix this by retrying with a round-down index, and abort if the index is
smaller than the truncate range.
Published: 2026-02-14
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via infinite loop in swap truncation
Action: Patch immediately
AI Analysis

Impact

The vulnerability resides in the Linux kernel memory‑management subsystem. When a large swap entry is truncated, the routine that frees the swap entry can incorrectly re‑enter the truncation loop if the requested index falls in the middle of that entry. This logic flaw causes the kernel to repeat the same lookup and retry, resulting in an infinite loop that consumes processor time and stalls the truncation operation. The effect is a denial of service condition: the process initiating the truncation can be starved of CPU resources, potentially affecting system responsiveness. No privilege escalation or data disclosure is possible from this flaw, but it can be leveraged by a local user with sufficient rights to manipulate swap entries.

Affected Systems

All Linux kernel releases that contain the unpatched shmem module are impacted. Vendors listed as "Linux:Linux" in the CNA data reflect that the issue exists in the upstream kernel itself, so any distribution kernel that ships the vulnerable version without the patch is affected. Exact version ranges are not specified, but the fix was introduced by applying the commit that adds retry logic with a round‑down index. Users running kernel versions prior to this change, irrespective of distribution, are at risk.

Risk and Exploitability

The CVSS score of 7.0 indicates a moderate to high severity, while the EPSS score is below 1%, suggesting a low likelihood of public exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, further supporting the low current threat level. Exploitation requires a local context, typically a user with permission to truncate large swap entries, which may be limited to privileged users or root. Given the straightforward nature of the bug once the relevant code path is invoked, an attacker with local control could trigger a denial of service by repeatedly attempting to truncate swap entries, leading to persistent CPU hogging until the operation is aborted by the kernel.

Generated by OpenCVE AI on April 18, 2026 at 12:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel patch that includes the retry logic fix for shmem_free_swap – update to a kernel version that contains the applied commit.
  • Reboot the system to load the new kernel image and ensure the patch takes effect.
  • Ensure all hosts in the environment run the patched kernel, especially those providing virtualized or containerized services that rely on the kernel.

Generated by OpenCVE AI on April 18, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6141-1 linux security update
History

Sat, 18 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm, shmem: prevent infinite loop on truncate race When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment. The failure fallback path checks if the entry crosses the end border and aborts when it happens, so truncate won't erase an unexpected entry or range. But one scenario was ignored. When `index` points to the middle of a large swap entry, and the large swap entry doesn't go across the end border, find_get_entries() will return that large swap entry as the first item in the batch with `indices[0]` equal to `index`. The entry's base index will be smaller than `indices[0]`, so shmem_free_swap() will fail and return 0 due to the "base < index" check. The code will then call shmem_confirm_swap(), get the order, check if it crosses the END boundary (which it doesn't), and retry with the same index. The next iteration will find the same entry again at the same index with same indices, leading to an infinite loop. Fix this by retrying with a round-down index, and abort if the index is smaller than the truncate range.
Title mm, shmem: prevent infinite loop on truncate race
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:09.429Z

Reserved: 2026-01-13T15:37:45.983Z

Link: CVE-2026-23177

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-14T17:15:55.430

Modified: 2026-04-15T14:34:27.800

Link: CVE-2026-23177

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23177 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:30:45Z

Weaknesses