In the Linux kernel, the following vulnerability has been resolved:

futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.

[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[ 151.415969] Call Trace:

[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
c042c505210dc3453f378df432c10fff3d471bc5 affected < 853f70c67d1b37e368fdcb3e328c4b8c04f53ac0
c042c505210dc3453f378df432c10fff3d471bc5 affected < 7e196194ea27bd49adf3551e2aceb83498eb73fe
c042c505210dc3453f378df432c10fff3d471bc5 affected < 190a8c48ff623c3d67cb295b4536a660db2012aa
Linux Linux affected
Version Status Constraints
6.16 affected
0 unaffected < 6.16
6.18.21 unaffected ≤ 6.18.*
6.19.11 unaffected ≤ 6.19.*
7.0-rc6 unaffected ≤ *

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/190a8c48ff623c3d67cb295b4536a660db2012aa cve-icon cve-icon
https://git.kernel.org/stable/c/7e196194ea27bd49adf3551e2aceb83498eb73fe cve-icon cve-icon
https://git.kernel.org/stable/c/853f70c67d1b37e368fdcb3e328c4b8c04f53ac0 cve-icon cve-icon
History

Thu, 02 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put().
Title futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T11:40:56.476Z

Reserved: 2026-01-13T15:37:46.014Z

Link: CVE-2026-23415

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T12:16:20.810

Modified: 2026-04-02T12:16:20.810

Link: CVE-2026-23415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.