HIGH
procfs ProcmapQuery UAF
CVE-2026-43178
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput() in do_procmap_query() When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf.
02KernelScan AI Analysis
Risk summary
Local users can trigger a use-after-free condition in the kernel's procfs PROCMAP_QUERY implementation by providing an incorrectly sized buffer for build ID queries. The double mmput() causes the mm_struct to be freed while the process still holds a reference, enabling potential information disclosure, limited kernel memory corruption, and kernel panic. Any process can trigger this vulnerability when querying its own memory mappings through the procfs interface.
Vulnerability analysis
The vulnerability occurs in do_procmap_query() where recent code changes moved build ID validation to happen after mmap_lock unlock and mmput() call, but the error path still used the original goto label that would call mmput() again. This results in a reference-count underflow that prematurely frees the mm_struct while current->mm still references it. The fix adds a new cleanup label (out_file) that skips the second mmput() call. This is locally exploitable by any user through the PROCMAP_QUERY ioctl on /proc/<pid>/maps with malformed build ID buffer parameters.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | f9fe092084cd |
| 6.18 | 6.18.16 | 8adaff87db14 |
| 6.19 | 6.19.6 | 90f5e87c9b75 |
| mainline | 7.0 | 61dc9f776705 |