Description
In the Linux kernel, the following vulnerability has been resolved:

futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.

[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[ 151.415969] Call Trace:

[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free read in kernel futex handling
Action: Patch
AI Analysis

Impact

A race exists between futex_key_to_node_opt() and vma_replace_policy() in the Linux kernel. During concurrent mbind() calls the old mempolicy is freed while futex_key_to_node_opt() still reads it. This leads to a use‑after‑free read of the mpol->mode field, potentially causing a kernel crash or leaking kernel memory content. The bug manifests as a KASAN slab-use-after-free error in __futex_key_to_node, as shown in the stack trace from the kernel trace logs.

Affected Systems

All Linux kernel builds that contain the unpatched futex routine are affected. The vulnerability applies to every distribution that ships a kernel version before the commit that adds RCU protection to __mpol_put(). Vendor product names such as "Linux:Linux" denote the operating system itself; no specific product name is required because the kernel is common across distributions.

Risk and Exploitability

The CVSS score of 5.5 classifies the flaw as moderate severity. An EPSS score below 1 % and the absence of a listing in CISA's KEV catalog indicate a low overall exploitation probability. Exploitation requires a local or privileged attacker to orchestrate a race between futex usage and mbind() operations, which is non‑trivial. Consequently, while the impact is significant on a compromised system, the likelihood of real‑world exploitation remains low under normal operating conditions.

Generated by OpenCVE AI on April 3, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that contains the rcu patch for __mpol_put(), for example by installing the latest security patch or kernel update from the distribution
  • Verify that the running kernel includes the committed change by checking the kernel version or reviewing the change log
  • If immediate updating is not possible, avoid using mbind() in applications that heavily rely on futexes or limit the exposure of these APIs until the patch is applied

Generated by OpenCVE AI on April 3, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put().
Title futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:59.580Z

Reserved: 2026-01-13T15:37:46.014Z

Link: CVE-2026-23415

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T12:16:20.810

Modified: 2026-04-24T15:22:23.660

Link: CVE-2026-23415

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T00:00:00Z

Links: CVE-2026-23415 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:53Z

Weaknesses