CVE-2026-23352 - Vulnerability Details

- x86/efi: defer freeing of boot services memory

Description

In the Linux kernel, the following vulnerability has been resolved:

x86/efi: defer freeing of boot services memory

efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE
and EFI_BOOT_SERVICES_DATA using memblock_free_late().

There are two issue with that: memblock_free_late() should be used for
memory allocated with memblock_alloc() while the memory reserved with
memblock_reserve() should be freed with free_reserved_area().

More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y
efi_free_boot_services() is called before deferred initialization of the
memory map is complete.

Benjamin Herrenschmidt reports that this causes a leak of ~140MB of
RAM on EC2 t3a.nano instances which only have 512MB or RAM.

If the freed memory resides in the areas that memory map for them is
still uninitialized, they won't be actually freed because
memblock_free_late() calls memblock_free_pages() and the latter skips
uninitialized pages.

Using free_reserved_area() at this point is also problematic because
__free_page() accesses the buddy of the freed page and that again might
end up in uninitialized part of the memory map.

Delaying the entire efi_free_boot_services() could be problematic
because in addition to freeing boot services memory it updates
efi.memmap without any synchronization and that's undesirable late in
boot when there is concurrency.

More robust approach is to only defer freeing of the EFI boot services
memory.

Split efi_free_boot_services() in two. First efi_unmap_boot_services()
collects ranges that should be freed into an array then
efi_free_boot_services() later frees them after deferred init is complete.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a flaw in the EFI boot services memory release routine, where allocated boot‑service memory is freed using memblock_free_late() instead of free_reserved_area(). This misuse can cause a leak of approximately 140 MB of RAM on systems with limited memory, such as EC2 t3a.nano instances, leading to memory exhaustion and potentially a system crash. The weakness is a Memory Management issue, classified as CWE‑763 (Memory Exhaustion).

Affected Systems

Any machine running the Linux kernel on an x86 system that utilizes UEFI boot services and has the CONFIG_DEFERRED_STRUCT_PAGE_INIT option enabled is affected. The CPE indicates the Linux kernel as the impacted product, but no specific kernel version is listed. The issue is inherent to the EFI subsystem of the kernel rather than a particular distribution.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1 % shows a very low projected exploitation probability. Based on the description, it is inferred that the vulnerability can only be exploited during the early boot phase, requiring local access to the machine’s boot process, and no remote attack vector is explicitly documented. Therefore, while the risk is limited to memory‑constrained environments, the bug can degrade performance or cause a denial of service once sufficient memory is consumed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0aed459e8487eb6ebdb4efe8cefe1eafbc704b30`	affected	< 4a2cb90c538f06c873a187aa743575d48685d7a6
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< 7131bd1fecc749bc94fb44aae217bbd8a8a85264
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< 6d8ba221e7aafaa2f284b7d22faee814c28e009d
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< 227688312fece0026fc67a00ba9a0b3611ebe95d
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< 6a25e25279282c5c8ade554c04c6ab9dc7902c64
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< 399da820ecfe6f4f10c143e5c453d3559a04db9c
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< f9e9cc320854a76a39e7bc92d144554f3a727fad
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< 7dcf59422a3b0d20ddda844f856b4a1e0608a326
`916f676f8dc016103f983c7ec54c18ecdbb6e349`	affected	< a4b0bf6a40f3c107c67a24fbc614510ef5719980

Linux

affected

Version	Status	Constraints
`3.0`	affected	—
`0`	unaffected	< 3.0
`2.6.39.2`	unaffected	≤ 2.6.*
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0aed459e8487eb6ebdb4efe8cefe1eafbc704b30,4a2cb90c538f06c873a187aa743575d48685d7)`	affected	code_commit	—
`[916f676f8dc016103f983c7ec54c18ecdbb6e349,227688312fece0026fc67a00ba9a0b3611ebe95d)`	affected	code_commit	—
`[916f676f8dc016103f983c7ec54c18ecdbb6e349,6a25e25279282c5c8ade554c04c6ab9dc7902c64)`	affected	code_commit	—
`[916f676f8dc016103f983c7ec54c18ecdbb6e349,399da820ecfe6f4f10c143e5c453d3559a04db9c)`	affected	code_commit	—
`[916f676f8dc016103f983c7ec54c18ecdbb6e349,f9e9cc320854a76a39e7bc92d144554f3a727fad)`	affected	code_commit	—
`[916f676f8dc016103f983c7ec54c18ecdbb6e349,7dcf59422a3b0d20ddda844f856b4a1e0608a326)`	affected	code_commit	—
`[916f676f8dc016103f983c7ec54c18ecdbb6e349,a4b0bf6a40f3c107c67a24fbc614510ef5719980)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.0`	affected	semver	—
`[0,3.0)`	unaffected	generic	—
`[2.6.39.2,2.7.0)`	unaffected	generic	—
`[6.1.167,6.2.0)`	unaffected	generic	—
`[6.6.130,6.7.0)`	unaffected	generic	—
`[6.12.77,6.13.0)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	generic	—
`[6.19.7,6.20.0)`	unaffected	generic	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that splits efi_free_boot_services into efi_unmap_boot_services and efi_free_boot_services, resolving the memory leak.
If a patch cannot be applied immediately, temporarily disable the CONFIG_DEFERRED_STRUCT_PAGE_INIT kernel configuration option to avoid improper memory freeing during boot.
Monitor system memory usage during boot on low‑memory nodes to ensure boot services memory is released correctly.

Generated by OpenCVE AI on March 26, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/227688312fece0026fc67a00ba9a0b3611ebe95d
https://git.kernel.org/stable/c/399da820ecfe6f4f10c143e5c453d3559a04db9c
https://git.kernel.org/stable/c/4a2cb90c538f06c873a187aa743575d48685d7a6
https://git.kernel.org/stable/c/6a25e25279282c5c8ade554c04c6ab9dc7902c64
https://git.kernel.org/stable/c/6d8ba221e7aafaa2f284b7d22faee814c28e009d
https://git.kernel.org/stable/c/7131bd1fecc749bc94fb44aae217bbd8a8a85264
https://git.kernel.org/stable/c/7dcf59422a3b0d20ddda844f856b4a1e0608a326
https://git.kernel.org/stable/c/a4b0bf6a40f3c107c67a24fbc614510ef5719980
https://git.kernel.org/stable/c/f9e9cc320854a76a39e7bc92d144554f3a727fad
https://lore.kernel.org/linux-cve-announce/2026032537-CVE-2026-23352-18f2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23352
https://www.cve.org/CVERecord?id=CVE-2026-23352

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/6d8ba221e7aafaa2f284b7d22faee814c28e009d https://git.kernel.org/stable/c/7131bd1fecc749bc94fb44aae217bbd8a8a85264

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026032537-CVE-2026-23352-18f2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23352 https://www.cve.org/CVERecord?id=CVE-2026-23352
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late(). There are two issue with that: memblock_free_late() should be used for memory allocated with memblock_alloc() while the memory reserved with memblock_reserve() should be freed with free_reserved_area(). More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y efi_free_boot_services() is called before deferred initialization of the memory map is complete. Benjamin Herrenschmidt reports that this causes a leak of ~140MB of RAM on EC2 t3a.nano instances which only have 512MB or RAM. If the freed memory resides in the areas that memory map for them is still uninitialized, they won't be actually freed because memblock_free_late() calls memblock_free_pages() and the latter skips uninitialized pages. Using free_reserved_area() at this point is also problematic because __free_page() accesses the buddy of the freed page and that again might end up in uninitialized part of the memory map. Delaying the entire efi_free_boot_services() could be problematic because in addition to freeing boot services memory it updates efi.memmap without any synchronization and that's undesirable late in boot when there is concurrency. More robust approach is to only defer freeing of the EFI boot services memory. Split efi_free_boot_services() in two. First efi_unmap_boot_services() collects ranges that should be freed into an array then efi_free_boot_services() later frees them after deferred init is complete.
Title		x86/efi: defer freeing of boot services memory
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/227688312fece0026fc67a00ba9a0b3611ebe95d https://git.kernel.org/stable/c/399da820ecfe6f4f10c143e5c453d3559a04db9c https://git.kernel.org/stable/c/4a2cb90c538f06c873a187aa743575d48685d7a6 https://git.kernel.org/stable/c/6a25e25279282c5c8ade554c04c6ab9dc7902c64 https://git.kernel.org/stable/c/7dcf59422a3b0d20ddda844f856b4a1e0608a326 https://git.kernel.org/stable/c/a4b0bf6a40f3c107c67a24fbc614510ef5719980 https://git.kernel.org/stable/c/f9e9cc320854a76a39e7bc92d144554f3a727fad

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:37.500Z

Updated: 2026-04-18T08:58:06.719Z

Reserved: 2026-01-13T15:37:46.000Z

Link: CVE-2026-23352

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:33.627

Modified: 2026-04-18T09:16:20.540

Link: CVE-2026-23352

Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23352 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:16:05Z

Weaknesses

CWE-763

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object