HIGH Published 2026-04-02

futex Mempolicy UAF

CVE-2026-23415

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker with local access could potentially trigger a use-after-free condition by carefully timing futex operations with memory policy changes. This could lead to kernel memory corruption, system crashes, or potentially privilege escalation. The vulnerability affects systems that use NUMA memory policies with futex operations.

Affectedkernel/futex/core.c

Vulnerability analysis

Summary: A use-after-free vulnerability exists in the futex subsystem where futex_key_to_node_opt() can read a freed mempolicy structure during concurrent execution with mbind().

Root Cause: The vulnerability occurs because futex_key_to_node_opt() reads vma->vm_policy under speculative mmap lock and RCU protection, while mbind() can concurrently call vma_replace_policy() which immediately frees the old mempolicy via kmem_cache_free(). This creates a race condition where __futex_key_to_node() dereferences a freed mempolicy pointer when accessing mpol->mode.

Attack Surface: This is a local vulnerability that affects systems using futex operations with memory policy (FUTEX2_MPOL). The race condition requires concurrent futex operations and mbind() system calls, making it exploitable by local processes that can perform these operations.

Fix Mechanism: The fix implements proper RCU-based memory management by: 1) Adding an rcu_head field to the mempolicy structure, 2) Changing __mpol_put() to use kfree_rcu() instead of immediate kmem_cache_free(), 3) Using READ_ONCE() and WRITE_ONCE() for accessing vma->vm_policy to ensure proper memory ordering. This ensures that mempolicy structures are not freed until all RCU read-side critical sections complete.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.21	`853f70c67d1b`
6.19	6.19.11	`7e196194ea27`
mainline	7.0	`190a8c48ff62`