Description
In the Linux kernel, the following vulnerability has been resolved:

mm/mseal: update VMA end correctly on merge

Previously we stored the end of the current VMA in curr_end, and then upon
iterating to the next VMA updated curr_start to curr_end to advance to the
next VMA.

However, this doesn't take into account the fact that a VMA might be
updated due to a merge by vma_modify_flags(), which can result in curr_end
being stale and thus, upon setting curr_start to curr_end, ending up with
an incorrect curr_start on the next iteration.

Resolve the issue by setting curr_end to vma->vm_end unconditionally to
ensure this value remains updated should this occur.

While we're here, eliminate this entire class of bug by simply setting
const curr_[start/end] to be clamped to the input range and VMAs, which
also happens to simplify the logic.
Published: 2026-04-02
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption
Action: Patch
AI Analysis

Impact

When a virtual memory area is modified during a merge, the kernel mistakenly keeps a stale end address for the current VMA. This causes the following iteration to start at an incorrect offset, potentially corrupting kernel data structures or causing invalid memory accesses. The flaw could allow an attacker with sufficient privileges to execute arbitrary code or destabilize the system.

Affected Systems

The bug resides in the mm/mseal component of the Linux kernel. Every Linux kernel that does not contain the patch that updates the VMA end during a merge operation is vulnerable. Distribution vendors have not yet released a version that incorporates the commit, so any kernel older than the fix commit is affected.

Risk and Exploitability

The exploit probability is very low, with an EPSS score below 1% and no known wild exploits listed in the CISA KEV catalog. Successful exploitation would require local kernel privileges or the ability to load a kernel module, making remote attack unlikely. The vulnerability is unassisted and leverages a kernel memory mapping bug, so any local attacker could potentially gain full control if the flaw is triggered.

Generated by OpenCVE AI on April 3, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify the current kernel version and confirm whether it includes the merge‑fix commit.
  • If the kernel is still vulnerable, update to a patched release from your distribution or the upstream kernel that contains the commit.
  • Reboot the system after installing the new kernel to activate the patch.
  • Verify that the kernel no longer contains the erroneous VMA merge logic by reviewing the release notes or running a memory‑mapping sanity check.

Generated by OpenCVE AI on April 3, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/mseal: update VMA end correctly on merge Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA. However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_start on the next iteration. Resolve the issue by setting curr_end to vma->vm_end unconditionally to ensure this value remains updated should this occur. While we're here, eliminate this entire class of bug by simply setting const curr_[start/end] to be clamped to the input range and VMAs, which also happens to simplify the logic.
Title mm/mseal: update VMA end correctly on merge
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:07:01.476Z

Reserved: 2026-01-13T15:37:46.014Z

Link: CVE-2026-23416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T12:16:20.960

Modified: 2026-04-24T15:21:59.490

Link: CVE-2026-23416

cve-icon Redhat

Severity :

Publid Date: 2026-04-02T00:00:00Z

Links: CVE-2026-23416 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:16Z

Weaknesses