CVE-2026-23161— mm/shmem, swap: fix race of truncate and swap entry split
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23161
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mm/shmem, swap: fix race of truncate and swap entry split
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of truncate and swap entry split The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and it may get an outdated order value if the entry is split or changed in other ways after the xa_get_order and before the xa_cmpxchg_irq. And besides, the order could grow and be larger than expected, and cause truncation to erase data beyond the end border. For example, if the target entry and following entries are swapped in or freed, then a large folio was added in place and swapped out, using the same entry, the xa_cmpxchg_irq will still succeed, it's very unlikely to happen though. To fix that, open code the Xarray cmpxchg and put the order retrieval and value checking in the same critical section. Also, ensure the order won't exceed the end border, skip it if the entry goes across the border. Skipping large swap entries crosses the end border is safe here. Shmem truncate iterates the range twice, in the first iteration, find_lock_entries already filtered such entries, and shmem will swapin the entries that cross the end border and partially truncate the folio (split the folio or at least zero part of it). So in the second loop here, if we see a swap entry that crosses the end order, it must at least have its content erased already. I observed random swapoff hangs and kernel panics when stress testing ZSWAP with shmem. After applying this patch, all problems are gone.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于交换条目释放时存在竞争条件,可能导致数据被截断。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23161
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23161
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-02-14 · 108 CVEs total
| CVE-2026-23193 | 8.8 HIGH | scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() |
| CVE-2026-23172 | 8.4 HIGH | net: wwan: t7xx: fix potential skb->frags overflow in RX path |
| CVE-2026-23209 | 7.8 HIGH | macvlan: fix error recovery in macvlan_common_newlink() |
| CVE-2026-23169 | 7.8 HIGH | mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() |
| CVE-2026-23171 | 7.8 HIGH | bonding: fix use-after-free due to enslave fail after slave array update |
| CVE-2026-23178 | 7.8 HIGH | HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() |
| CVE-2026-23198 | 7.8 HIGH | KVM: Don't clobber irqfd routing type when deassigning irqfd |
| CVE-2026-23184 | 7.8 HIGH | binder: fix UAF in binder_netlink_report() |
| CVE-2026-23185 | 7.8 HIGH | wifi: iwlwifi: mld: cancel mlo_scan_start_wk |
| CVE-2026-23191 | 7.8 HIGH | ALSA: aloop: Fix racy access at PCM trigger |
| CVE-2026-23192 | 7.8 HIGH | linkwatch: use __dev_put() in callers to prevent UAF |
| CVE-2026-23148 | 7.5 HIGH | nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference |
| CVE-2026-23139 | 7.5 HIGH | netfilter: nf_conncount: update last_gc only when GC has been performed |
| CVE-2026-23136 | 7.5 HIGH | libceph: reset sparse-read state in osd_fault() |
| CVE-2026-23204 | 7.1 HIGH | net/sched: cls_u32: use skb_header_pointer_careful() |
| CVE-2026-23180 | 7.0 HIGH | dpaa2-switch: add bounds check for if_id in IRQ handler |
| CVE-2026-23175 | 7.0 HIGH | net: cpsw: Execute ndo_set_rx_mode callback in a work queue |
| CVE-2026-23195 | 7.0 HIGH | cgroup/dmem: avoid pool UAF |
| CVE-2026-23142 | mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure | |
| CVE-2026-23115 | serial: Fix not set tty->port race condition |
Showing top 20 of 108 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2026-23161
No comments yet