Description
In the Linux kernel, the following vulnerability has been resolved:

mm/mseal: update VMA end correctly on merge

Previously we stored the end of the current VMA in curr_end, and then upon
iterating to the next VMA updated curr_start to curr_end to advance to the
next VMA.

However, this doesn't take into account the fact that a VMA might be
updated due to a merge by vma_modify_flags(), which can result in curr_end
being stale and thus, upon setting curr_start to curr_end, ending up with
an incorrect curr_start on the next iteration.

Resolve the issue by setting curr_end to vma->vm_end unconditionally to
ensure this value remains updated should this occur.

While we're here, eliminate this entire class of bug by simply setting
const curr_[start/end] to be clamped to the input range and VMAs, which
also happens to simplify the logic.
Published: 2026-04-02
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Potential kernel memory corruption
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel memory‑management subsystem contains a logic flaw in the VMA merge routine. When a VMA is modified by vma_modify_flags() the end address can become stale, yet the code continues to use this outdated value to set the start of the next VMA. This can lead the kernel to treat a region as outside of the VMA bounds, potentially overwriting or misreading kernel memory. The description does not explicitly state a current exploitation vector, but the effect is a corruption of kernel memory boundaries, which could in turn allow privilege escalation or denial of service if an attacker can trigger the merge logic.

Affected Systems

All Linux kernel builds that include the mm/mseal VMA logic before the patch commit are potentially affected. No explicit version numbers are provided, so any running kernel that has not integrated the described commit may be vulnerable.

Risk and Exploitability

The CVSS score is not listed and the EPSS score is less than 1 %. The vulnerability is not in the CISA KEV catalog. Exploitation would require kernel‑privileged code to invoke vma_modify_flags() and induce the stale value condition. While the potential impact on kernel memory integrity is serious, the low probability of exploitation and absence of known public exploits reduce the immediate risk for most environments.

Generated by OpenCVE AI on April 2, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that includes the commit correcting the VMA merge logic (see the provided commit URLs).
  • If a vendor kernel update is not already available, backport the specific upstream commit to your kernel source tree.
  • After applying the patch, restart or reload the kernel to ensure the updated VMA handling code is active.
  • Verify that the patch correctly updates curr_end before each VMA iteration by reviewing the commit diff.
  • Keep the kernel updated with the latest security patches and monitor upstream kernel releases for related advisories.

Generated by OpenCVE AI on April 2, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/mseal: update VMA end correctly on merge Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA. However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_start on the next iteration. Resolve the issue by setting curr_end to vma->vm_end unconditionally to ensure this value remains updated should this occur. While we're here, eliminate this entire class of bug by simply setting const curr_[start/end] to be clamped to the input range and VMAs, which also happens to simplify the logic.
Title mm/mseal: update VMA end correctly on merge
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T11:40:57.158Z

Reserved: 2026-01-13T15:37:46.014Z

Link: CVE-2026-23416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T12:16:20.960

Modified: 2026-04-02T12:16:20.960

Link: CVE-2026-23416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:28Z

Weaknesses