CVE-2026-23225

High

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1 T1 runs in userspace T0: fork(T4) -> Switch to per CPU CID mode fixup() set MM_CID_TRANSIT on T1/CPU1 T4 exit() T3 exit() T2 exit() T1 exit() switch to per task mode ---> Out of bounds access. As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in the task and drops the CID, but it does not touch the per CPU storage. That's functionally correct because a CID is only owned by the CPU when the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag. Now sched_mm_cid_exit() assumes that the CID is CPU owned because the prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the not set ONCPU bit and then invokes clear_bit() with an insanely large bit number because TRANSIT is set (bit 29). Prevent that by actually validating that the CID is CPU owned in mm_drop_cid_on_cpu().

Package Linux Kernel
Published 2026-02-18
Last modified 2026-04-15
CVSS version 3.1
Patch available
Yes

CVSS 3.1 score

7.8

out of 10
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected versions

Linux kernel versions 6.19 and later are affected. Fixed in 6.19.1, 7.0 and their respective stable series.

Affected from
≥ 6.19
Fixed in
✓ 6.19.1 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-23225 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Frequently asked questions

  • What is CVE-2026-23225?

    CVE-2026-23225 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 . It affects Linux kernel versions from 6.19 onward and has been patched in 6.19.1 and 7.0. CVE-2026-23225 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

  • What is the CVSS score for CVE-2026-23225?

    CVE-2026-23225 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H .

  • Is there a patch available for CVE-2026-23225?

    Yes — CVE-2026-23225 has been patched. Fixed versions include 6.19.1 and 7.0. If you are running Linux kernel 6.19 or later up to the fix versions, apply the relevant patch for your kernel branch.

  • Is CVE-2026-23225 actively exploited?

    No — CVE-2026-23225 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Back to
All CVEs
View on
NVD / NIST