Description
In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node

When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during
vmalloc cleanup triggers expensive stack unwinding that acquires RCU read
locks. Processing a large purge_list without rescheduling can cause the
task to hold CPU for extended periods (10+ seconds), leading to RCU stalls
and potential OOM conditions.

The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node()
where iterating through hundreds or thousands of vmap_area entries and
freeing their associated shadow pages causes:

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l
...
task:kworker/0:17 state:R running task stack:28840 pid:6229
...
kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299
purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299

Each call to kasan_release_vmalloc() can free many pages, and with
page_owner tracking, each free triggers save_stack() which performs stack
unwinding under RCU read lock. Without yielding, this creates an
unbounded RCU critical section.

Add periodic cond_resched() calls within the loop to allow:
- RCU grace periods to complete
- Other tasks to run
- Scheduler to preempt when needed

The fix uses need_resched() for immediate response under load, with a
batch count of 32 as a guaranteed upper bound to prevent worst-case stalls
even under light load.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel bug arises when CONFIG_PAGE_OWNER is enabled and KASAN shadow pages are freed during vmalloc cleanup. The cleanup path performs stack unwinding while holding an RCU read lock for every page freed, and it does not voluntarily reschedule until the entire purge list is processed. If the list contains hundreds or thousands of vmap_area entries, the task can hold the CPU for many seconds, preventing other CPUs from completing RCU grace periods and potentially causing out‑of‑memory conditions. The effect is a prolonged RCU stall that manifests as a kernel message indicating blocking on level‑0 RCU nodes and can lead to system instability or a service denial.

Affected Systems

All Linux kernel builds that enable CONFIG_PAGE_OWNER in combination with KASAN shadow page support are affected. The vulnerability is present regardless of the specific kernel version, but it was patched in a recent commit to the mainline kernel; any user running a kernel prior to that commit faces the risk. The patch is included in downstream distributions that ship a kernel with the kasan_release_vmalloc_node fix applied.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is not available, indicating a medium severity system impact from this bug. The exploit requires a context that can free vmalloc pages in a large purge list, typically available only to code running with kernel privileges (for example, kernel modules, compromised processes, or development builds with KASAN enabled). No public exploits have been documented, and the acceptance of local kernel code is needed; however, the denial‑of‑service nature of the flaw makes it a severe risk that should be addressed as soon as a patched kernel is available. The lack of a KEV listing indicates no known widespread exploitation, but the bug remains a high‑internal threat to kernel stability.

Generated by OpenCVE AI on May 9, 2026 at 01:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the RCU stall mitigation patch (for example, the commit that adds periodic cond_resched() in kasan_release_vmalloc_node).
  • If an immediate update is not possible, disable the CONFIG_PAGE_OWNER kernel option or disable overall KASAN shadow page tracking to prevent the heavy stack unwinding that stalls RCU (this reduces KASAN coverage but eliminates the stall).
  • After applying the fix or hardening, monitor kernel logs for rcu_preempt stall indicators and system responsiveness; ensure that the patched kernel is running in production environments and that no custom patches re‑introduce the original loop without rescheduling.

Generated by OpenCVE AI on May 9, 2026 at 01:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-246
CWE-730

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.
Title mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-09T04:10:04.732Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43292

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:36.250

Modified: 2026-05-08T14:16:36.250

Link: CVE-2026-43292

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:00:19Z

Weaknesses