Description
In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix WARN_ON in tracing_buffers_mmap_close

When a process forks, the child process copies the parent's VMAs but the
user_mapped reference count is not incremented. As a result, when both the
parent and child processes exit, tracing_buffers_mmap_close() is called
twice. On the second call, user_mapped is already 0, causing the function to
return -ENODEV and triggering a WARN_ON.

Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.
But this is only a hint, and the application can call
madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the
application does that, it can trigger this issue on fork.

Fix it by incrementing the user_mapped reference count without re-mapping
the pages in the VMA's open callback.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Double close of tracing buffers on fork can trigger WARN_ON and return -ENODEV, but does not permit code execution.
Action: Monitor
AI Analysis

Impact

When a process is forked, the child inherits the parent's virtual memory areas, but the user-mapped reference counter for tracing buffers is not increased. If both parent and child exit, the cleanup routine is invoked twice. On the second invocation the counter is already zero, causing a negative error return and a warning. The vulnerability does not lead to arbitrary code execution or privilege escalation; it simply results in a warning and a benign error code. It may, however, clutter logs or be abused for denial‑of‑service style sabotage, but no direct exploitation path is documented.

Affected Systems

This issue is present in the Linux kernel across all versions affected by the tracking commit. The specific version range is not supplied in the advisory. Users running any recent Linux kernel should verify whether the fix is included.

Risk and Exploitability

The CVSS score of 3.3 rates this as low severity, and the EPSS probability is below 1 %. It is not listed in the CISA KEV catalog and no exploits are known. The likely attack vector is local: a process with the ability to fork can trigger the double closure by using madvise(MADVISE_DOFORK) to clear the VM_DONTCOPY flag. Because no remote exploitation or privilege escalation is possible, the overall risk is considered low but should still be observed if suspicious warning messages appear.

Generated by OpenCVE AI on March 26, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that includes the fix for the double‑close warning.
  • Verify that the kernel you run contains the kernel commit referenced in the advisory.
  • If your applications use madvise with MADVISE_DOFORK, evaluate whether this is necessary and remove it if not critical.
  • Monitor kernel logs for occurrences of WARN_ON related to tracing buffers, and investigate any unexplained instances.

Generated by OpenCVE AI on March 26, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
CPEs cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON. Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork. Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.
Title tracing: Fix WARN_ON in tracing_buffers_mmap_close
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:16.302Z

Reserved: 2026-01-13T15:37:46.007Z

Link: CVE-2026-23380

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:38.017

Modified: 2026-04-24T16:28:47.850

Link: CVE-2026-23380

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23380 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:00Z

Weaknesses