{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23380", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.007Z", "datePublished": "2026-03-25T10:27:59.682Z", "dateUpdated": "2026-03-25T10:27:59.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:59.682Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/ring_buffer.h", "kernel/trace/ring_buffer.c", "kernel/trace/trace.c"], "versions": [{"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "91f3e8d84c89918769e71393f839c9fefadc2580", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "cdd96641b64297a2db42676f051362b76280a58b", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/ring_buffer.h", "kernel/trace/ring_buffer.c", "kernel/trace/trace.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580"}, {"url": "https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b"}, {"url": "https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0"}, {"url": "https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e"}], "title": "tracing: Fix WARN_ON in tracing_buffers_mmap_close", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback."}], "id": "CVE-2026-23380", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:38.017", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tracing: Fix WARN_ON in tracing_buffers_mmap_close", "id": "2451266", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451266"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel. A local user could exploit an issue in the tracing buffer's memory management when a process forks. If an application uses `madvise(MADVISE_DOFORK)`, it can cause the `tracing_buffers_mmap_close()` function to be called multiple times, leading to a system warning and potentially a denial of service."], "name": "CVE-2026-23380", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23380\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23380\nhttps://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23380-9e3c@gregkh/T"], "statement": "This flaw affects tracing buffer mmap usage with fork(). When MADVISE_DOFORK overrides VM_DONTCOPY, the user_mapped refcount isn't incremented for child VMAs, causing double-close on both processes exiting. This triggers a WARN_ON but doesn't cause memory corruption. Requires specific madvise() usage with tracing mmap.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:20:52.355734+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the tracing_buffers_mmap_close fix", "Avoid calling madvise(MADVISE_DOFORK) on traced buffers before fork"], "summary": {"action": "Apply patch", "impact": "Kernel warning or local instability due to double close of tracing buffer mapping"}, "threat_synthesis": {"affected_systems": "Any Linux kernel release that includes the tracing subsystem and has not applied the fix is affected. The vulnerability applies to all distributions shipping an unpatched kernel; the issue is present before the kernel commit that increments the reference count.", "description_and_impact": "A flaw in the Linux kernel tracing subsystem causes a double close of a user\u2011mapped tracing buffer when a process forks and exits. The child inherits the parent\u2019s virtual memory areas without incrementing a reference counter, so the second unmap sees a zero count and triggers a WARN_ON while returning \u2013ENODEV. The defect manifests only when applications reset the VM_DONTCOPY flag via madvise(MADVISE_DOFORK) before forking. The warning does not directly lead to code execution or denial of service but indicates a potential internal inconsistency that could affect system stability.", "risk_and_exploitability": "The vulnerability is limited to local processes that explicitly manipulate tracing buffer mappings before forking. No exploit is known that converts the warning into privilege escalation or remote impact. The CVSS score is not available, and the EPSS score is not reported, suggesting low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog and poses minimal risk outside of internal warning noise."}}}}, "created": "2026-03-25T21:31:35.853329+00:00", "updated": "2026-03-25T21:31:35.853356+00:00", "vendors": [], "weaknesses": ["CWE-398"]}