Description
In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node

When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during
vmalloc cleanup triggers expensive stack unwinding that acquires RCU read
locks. Processing a large purge_list without rescheduling can cause the
task to hold CPU for extended periods (10+ seconds), leading to RCU stalls
and potential OOM conditions.

The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node()
where iterating through hundreds or thousands of vmap_area entries and
freeing their associated shadow pages causes:

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l
...
task:kworker/0:17 state:R running task stack:28840 pid:6229
...
kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299
purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299

Each call to kasan_release_vmalloc() can free many pages, and with
page_owner tracking, each free triggers save_stack() which performs stack
unwinding under RCU read lock. Without yielding, this creates an
unbounded RCU critical section.

Add periodic cond_resched() calls within the loop to allow:
- RCU grace periods to complete
- Other tasks to run
- Scheduler to preempt when needed

The fix uses need_resched() for immediate response under load, with a
batch count of 32 as a guaranteed upper bound to prevent worst-case stalls
even under light load.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel vulnerability originates in the vmalloc sub‑system when CONFIG_PAGE_OWNER is enabled. During vmalloc cleanup, freeing KASAN shadow pages triggers repeated stack unwinding that acquires RCU read locks. Because the cleanup loop does not voluntarily schedule, a single task can hold the CPU for many seconds while sequentially processing hundreds or thousands of vmap_area entries. This creates an unbounded RCU critical section, causes rcu_preempt stall messages, and can lead to out‑of‑memory conditions by preventing other tasks from completing RCU grace periods. The primary impact is a denial of service that manifests as kernel stalls and potentially system unresponsiveness.

Affected Systems

All Linux kernel releases that compile with CONFIG_PAGE_OWNER enabled and that include the KASAN shadow page tracking feature are affected. The flaw is present in the kernel code before the recent patch that introduces periodic cond_resched() calls in kasan_release_vmalloc_node. Systems running any kernel prior to that patch and with the relevant configuration in use face the risk.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. The EPSS score is < 1%, implying a low likelihood of exploitation under current threat landscapes, and the vulnerability is not listed in CISA KEV. It is a local kernel bug; an attacker must trigger a large vmalloc cleanup, which typically requires running privileged or kernel‑mode code. The description does not mention any publicly disclosed exploits, so no known exploitation techniques are available. Based on the description, it is inferred that an attacker would need kernel‑level execution or a configuration that generates a large cleanup to exercise the flaw.

Generated by OpenCVE AI on May 15, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that incorporates the kasan_release_vmalloc_node patch, which mitigates resource exhaustion by inserting periodic rescheduling (CWE‑770).
  • If an immediate update is not feasible, disable CONFIG_PAGE_OWNER or turn off KASAN shadow page tracking to avoid the heavy stack unwinding that can cause resource exhaustion and RCU stalls.
  • After applying the fix or hardening, monitor dmesg or /var/log/kern.log for rcu_preempt stall messages and confirm no custom patches re‑introduce the original loop without rescheduling.

Generated by OpenCVE AI on May 15, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-246
CWE-730

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-246
CWE-730

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.
Title mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:44.094Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43292

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:36.250

Modified: 2026-05-14T21:04:41.027

Link: CVE-2026-43292

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T02:00:13Z

Weaknesses