Main Vulnerability Database SB2026050995

SB2026050995 - Resource exhaustion in Linux kernel mm

Published: May 9, 2026

Security Bulletin ID SB2026050995

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2026-43292)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in kasan_release_vmalloc_node when freeing KASAN shadow pages during vmalloc cleanup. A local user can trigger processing of a large purge list to cause a denial of service.

The issue occurs when CONFIG_PAGE_OWNER is enabled, and processing many vmap_area entries without yielding can lead to prolonged RCU stalls and potential OOM conditions.

Remediation

Install update from vendor's website.

References

https://git.kernel.org/stable/c/1afe45f89d54b7183768ebbbbf14238ec187ab5c
https://git.kernel.org/stable/c/2efa9c02c9b4c0d6866aa445f11056809b25ca28
https://git.kernel.org/stable/c/5747435e0fd474c24530ef1a6822f47e7d264b27
https://git.kernel.org/stable/c/b351fbe71091f7c8676c8ba597653d08b6719447