SB2026032557 - Incorrect Calculation of Buffer Size in Linux kernel trace

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-23380)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper reference counting in the tracing_buffers_mmap_close function when handling memory mappings after a process forks. A local user can trigger a WARN_ON condition by manipulating VMA flags via madvise(MADV_DOFORK), leading to an invalid decrement of the user_mapped reference count and causing a denial of service.

The issue arises when an application removes the VM_DONTCOPY flag using madvise(MADV_DOFORK), allowing the child process to inherit the parent's VMAs without incrementing the reference count.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580
• https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0
• https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b
• https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e