HIGH Published 2026-04-03

mshv Memory Region UAF

CVE-2026-23432

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: mshv: Fix use-after-free in mshv_map_user_memory error path In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic. Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

This vulnerability allows local attackers with access to Hyper-V virtualization features to cause kernel crashes or potentially execute code by triggering a use-after-free condition in the memory management subsystem. The impact is high as it can lead to system instability or privilege escalation in virtualized environments.

Affecteddrivers/hv/mshv_root_main.c

Vulnerability analysis

Summary: Use-after-free vulnerability in Microsoft Hyper-V root partition driver's memory mapping error path

Root Cause: In the error path of mshv_map_user_memory(), the code calls vfree() directly on a memory region without properly unregistering the associated MMU notifier. This leaves a dangling notifier callback that references the freed memory region.

Attack Mechanism: When userspace later unmaps the memory after the error path has freed the region, the MMU notifier fires and attempts to access the freed region structure, causing a use-after-free condition that can lead to kernel panic or potential code execution.

Attack Surface: Local attack surface requiring access to Hyper-V virtualization interfaces. Attackers need the ability to trigger memory mapping operations that fail in the error path, then subsequently unmap memory to trigger the use-after-free condition.

Fix Mechanism: The patch replaces the direct vfree() call with mshv_region_put(), which properly unregisters the MMU notifier before freeing the memory region, ensuring the notifier callback cannot access freed memory.

03Fix Versions

Branch	Fixed in	Patch commit
6.19	6.19.10	`34861bdc0c01`
mainline	7.0	`6922db250422`