Main Vulnerability Database SB2026040318

SB2026040318 - Use-after-free in Linux kernel mm

Published: April 3, 2026

Security Bulletin ID SB2026040318

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use-after-free (CVE-ID: CVE-2026-23415)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in __futex_key_to_node() when processing futex operations during a race with vma policy replacement. A local user can trigger concurrent futex activity and memory policy changes to cause a denial of service.

The issue is caused by a race between futex_key_to_node_opt() and vma_replace_policy() that leads to a use-after-free read of mpol->mode from a freed mempolicy pointer.

Remediation

Install update from vendor's website.

References

https://git.kernel.org/stable/c/190a8c48ff623c3d67cb295b4536a660db2012aa
https://git.kernel.org/stable/c/7e196194ea27bd49adf3551e2aceb83498eb73fe
https://git.kernel.org/stable/c/853f70c67d1b37e368fdcb3e328c4b8c04f53ac0