Description
In the Linux kernel, the following vulnerability has been resolved:

mm/slab: return NULL early from kmalloc_nolock() in NMI on UP

On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that
unconditionally succeeds even when the lock is already held. As a
result, kmalloc_nolock() called from NMI context can re-enter the slab
allocator and acquire n->list_lock that the interrupted context is
already holding, corrupting slab state.

With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with
the slub_kunit test module:

BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243
[...]
Call Trace:
<NMI>
dump_stack_lvl+0x3f/0x60
do_raw_spin_trylock+0x41/0x50
_raw_spin_trylock+0x24/0x50
get_from_partial_node+0x120/0x4d0
___slab_alloc+0x8a/0x4c0
kmalloc_nolock_noprof+0x164/0x310
[...]
</NMI>

Fix this by returning NULL early when invoked from NMI on a UP kernel.
Published: 2026-05-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Linux kernel’s slab allocator is triggered when the kmalloc_nolock() function is called from a Non-Maskable Interrupt (NMI) context on single‑processor (UP) kernels where CONFIG_SMP is disabled. On such kernels, spin_trylock() is a no‑op that always succeeds, enabling the allocator to re‑enter and acquire n->list_lock while it is already held by the interrupted context. This re‑entrancy corrupts the internal slab state, leading to kernel crashes. The nature of the flaw is a kernel memory corruption bug that arises from a race condition and improper lock reuse (CWE-364).

Affected Systems

The vulnerability affects all versions of the Linux kernel built with CONFIG_SMP disabled. No specific kernel minor or patch level is listed, so any single‑CPU build derived from a source tree that has not yet integrated the patch is susceptible. This includes legacy or embedded releases that deliberately omit SMP support.

Risk and Exploitability

The EPSS score indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA KEV. The CVSS score is 7, indicating a high severity. The likely attack vector is inferred from the description: an attacker would need to trigger an NMI event on a single‑CPU system to invoke kmalloc_nolock() from the NMI context, a scenario that is uncommon in typical production environments but possible in specialized hardware or during kernel debugging. Because the bug corrupts the core memory allocator, the potential impact is high if exploitation is achieved.

Generated by OpenCVE AI on May 30, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds a null return guard in kmalloc_nolock() when called from NMI on a UP kernel (commit 5b31044e649e3e54c2caef135c09b371c2fbcd08). Deploy the patched kernel to testing environments before rolling it out in production.
  • If a kernel upgrade is not feasible, rebuild the kernel with CONFIG_SMP enabled. The flaw does not affect SMP builds, so enabling SMP provides a complete functional workaround.
  • As a temporary mitigation, reduce or eliminate NMI traffic on the affected system. Disable unused interrupt‑controller sources or network‑driver interrupts that can raise NMIs, and enable CONFIG_DEBUG_SPINLOCK so that any attempt to reenter the slab allocator under NMI triggers a BUG, providing early detection and preventing silent corruption.

Generated by OpenCVE AI on May 30, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-362
CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-362
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/slab: return NULL early from kmalloc_nolock() in NMI on UP On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, kmalloc_nolock() called from NMI context can re-enter the slab allocator and acquire n->list_lock that the interrupted context is already holding, corrupting slab state. With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module: BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 get_from_partial_node+0x120/0x4d0 ___slab_alloc+0x8a/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...] </NMI> Fix this by returning NULL early when invoked from NMI on a UP kernel.
Title mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:49:05.766Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46029

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:21.563

Modified: 2026-06-16T15:53:30.277

Link: CVE-2026-46029

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:30:24Z

Weaknesses