Description
In the Linux kernel, the following vulnerability has been resolved:

procfs: fix possible double mmput() in do_procmap_query()

When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY
we return with -ENAMETOOLONG error. After recent changes this condition
happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(),
so original goto out is now wrong and will double-mmput() mm_struct. Fix
by jumping further to clean up only vm_file and name_buf.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel contains a double mmput() in the PROCMAP_QUERY path. When a user supplies an incorrectly sized buffer for the build ID, the code releases an mm_struct reference twice once the mutex has already been unlocked. This double deallocation can corrupt kernel memory and lead to a crash or denial of service. This double free is a classic double‑free vulnerability (CWE‑415).

Affected Systems

All Linux kernel implementations are affected, as the issue is present in the core procfs handling. No specific kernel releases are listed, so a kernel upgrade that incorporates the patch is required.

Risk and Exploitability

The CVSS score is not provided, but a double‑free in the kernel can trigger a high‑impact crash. Exploitation would require a user or process that can invoke the PROCMAP_QUERY ioctl with a malformed build‑ID buffer. The EPSS score is unavailable and the vulnerability is not in the CISA KEV catalog. An attacker with local access can cause a kernel panic to disrupt the system and potentially reboot to gain further footholds if memory is compromised.

Generated by OpenCVE AI on May 6, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest stable release that includes the fix for double mmput() in do_procmap_query()
  • Apply the patch from the kernel repository commits referenced and rebuild to ensure the fix is in place
  • Test the kernel by invoking the PROCMAP_QUERY ioctl with an oversized build‑ID buffer to confirm the double mmput issue is resolved.

Generated by OpenCVE AI on May 6, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput() in do_procmap_query() When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf.
Title procfs: fix possible double mmput() in do_procmap_query()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:51.524Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43178

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:36.303

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses