HIGH
mm/vmalloc Shrinker Race
CVE-2026-46093
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: take vmap_purge_lock in shrinker decay_va_pool_node() can be invoked concurrently from two paths: __purge_vmap_area_lazy() when pools are being purged, and the shrinker via vmap_node_shrink_scan(). However, decay_va_pool_node() is not safe to run concurrently, and the shrinker path currently lacks serialization, leading to races and possible leaks. Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker path to ensure serialization with purge users.
02KernelScan AI Analysis
Risk summary
Systems under memory pressure may experience kernel memory leaks when the vmalloc shrinker runs concurrently with pool purging operations. This affects any system that uses vmalloc and encounters low memory conditions, potentially leading to gradual memory exhaustion and denial of service.
Vulnerability analysis
The vulnerability stems from decay_va_pool_node() being called concurrently from two code paths without proper serialization: the normal purge path via __purge_vmap_area_lazy() and the memory shrinker path via vmap_node_shrink_scan(). Since decay_va_pool_node() is not thread-safe, concurrent execution can lead to race conditions causing memory leaks in the vmalloc pool management. The fix adds vmap_purge_lock protection in the shrinker path using guard(mutex) to serialize access with existing purge operations. This is a local kernel-internal race condition that can be triggered by unprivileged users causing memory pressure.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.27 | 687ccdf58216 |
| 7.0 | 7.0.4 | 12f2341b4c23 |
| mainline | 7.1-rc1 | ec05f51f1e65 |