Description
In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP

On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that
unconditionally succeeds even when the lock is already held. As a
result, alloc_frozen_pages_nolock() called from NMI context can
re-enter rmqueue() and acquire the zone lock that the interrupted
context is already holding, corrupting the freelists.

With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with
the slub_kunit test module:

BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243
[...]
Call Trace:
<NMI>
dump_stack_lvl+0x3f/0x60
do_raw_spin_trylock+0x41/0x50
_raw_spin_trylock+0x24/0x50
rmqueue.isra.0+0x2a9/0xa70
get_page_from_freelist+0xeb/0x450
alloc_frozen_pages_nolock_noprof+0x111/0x1e0
allocate_slab+0x42a/0x500
___slab_alloc+0xa7/0x4c0
kmalloc_nolock_noprof+0x164/0x310
[...]
</NMI>

Fix this by returning NULL early when invoked from NMI on a UP kernel.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug occurs in the Linux kernel’s page allocation subsystem when a non‑maskable interrupt (NMI) context performs page allocation on a single‑processor (non‑SMP) kernel. Because the spinlock trylock becomes a no‑op on UP kernels, the function alloc_frozen_pages_nolock() can re‑enter the rmqueue routine and acquire a zone lock that is already held by the interrupted context, corrupting the free list structures. This race condition can overwrite free pages metadata, leading to arbitrary kernel memory corruption or a system crash. The vulnerability originates from improper lock handling (CWE‑853).

Affected Systems

The issue is present in all Linux kernel releases that run without SMP (CONFIG_SMP disabled). No specific version range was supplied, so any kernel built for a single‑processor system that has not been patched to add an early NULL return in alloc_frozen_pages_nolock() when called from NMI context is affected.

Risk and Exploitability

The CVSS score is not publicly available, and the vulnerability is not listed in CISA’s KEV catalog, so the severity rating and exploitation probability are unknown at this time. An attacker would need to trigger a faulting NMI that invokes page allocation, which may require privileged access to load or reinject code. Nonetheless, because the bug causes memory corruption in kernel space, successful exploitation could lead to denial of service or privilege escalation if the attacker can construct a malicious page allocation scenario. The lack of a published EPSS score indicates no available data on current exploitation, but the core nature of the bug suggests it remains a high‑impact risk for affected systems.

Generated by OpenCVE AI on May 27, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that includes the patch returning NULL early from alloc_frozen_pages_nolock() when invoked from NMI on a UP kernel
  • Enable CONFIG_DEBUG_SPINLOCK on development or test systems to detect spinlock misuse during NMI handling and validate the kernel’s fix
  • If an update cannot be applied immediately, audit any custom NMI handlers for calls to page allocation routines and consider temporarily disabling them until the upstream patch is available

Generated by OpenCVE AI on May 27, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-853

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, alloc_frozen_pages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists. With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module: BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 get_page_from_freelist+0xeb/0x450 alloc_frozen_pages_nolock_noprof+0x111/0x1e0 allocate_slab+0x42a/0x500 ___slab_alloc+0xa7/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...] </NMI> Fix this by returning NULL early when invoked from NMI on a UP kernel.
Title mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:44.260Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46035

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:22.617

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:30:40Z

Weaknesses