CVE-2026-23195— cgroup/dmem: avoid pool UAF
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23195
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
cgroup/dmem: avoid pool UAF
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Allocated by task 527: Freed by task 0: The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600) The buggy address belongs to the physical page: Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete). This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于cgroup/dmem存在释放后重用,可能导致内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23195
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23195
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-02-14 · 108 CVEs total
| CVE-2026-23193 | 8.8 HIGH | scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() |
| CVE-2026-23172 | 8.4 HIGH | net: wwan: t7xx: fix potential skb->frags overflow in RX path |
| CVE-2026-23209 | 7.8 HIGH | macvlan: fix error recovery in macvlan_common_newlink() |
| CVE-2026-23178 | 7.8 HIGH | HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() |
| CVE-2026-23184 | 7.8 HIGH | binder: fix UAF in binder_netlink_report() |
| CVE-2026-23185 | 7.8 HIGH | wifi: iwlwifi: mld: cancel mlo_scan_start_wk |
| CVE-2026-23171 | 7.8 HIGH | bonding: fix use-after-free due to enslave fail after slave array update |
| CVE-2026-23169 | 7.8 HIGH | mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() |
| CVE-2026-23191 | 7.8 HIGH | ALSA: aloop: Fix racy access at PCM trigger |
| CVE-2026-23192 | 7.8 HIGH | linkwatch: use __dev_put() in callers to prevent UAF |
| CVE-2026-23198 | 7.8 HIGH | KVM: Don't clobber irqfd routing type when deassigning irqfd |
| CVE-2026-23136 | 7.5 HIGH | libceph: reset sparse-read state in osd_fault() |
| CVE-2026-23148 | 7.5 HIGH | nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference |
| CVE-2026-23139 | 7.5 HIGH | netfilter: nf_conncount: update last_gc only when GC has been performed |
| CVE-2026-23161 | 7.3 HIGH | mm/shmem, swap: fix race of truncate and swap entry split |
| CVE-2026-23204 | 7.1 HIGH | net/sched: cls_u32: use skb_header_pointer_careful() |
| CVE-2026-23175 | 7.0 HIGH | net: cpsw: Execute ndo_set_rx_mode callback in a work queue |
| CVE-2026-23180 | 7.0 HIGH | dpaa2-switch: add bounds check for if_id in IRQ handler |
| CVE-2025-71202 | iommu/sva: invalidate stale IOTLB entries for kernel address space | |
| CVE-2026-23137 | of: unittest: Fix memory leak in unittest_data_add() |
Showing top 20 of 108 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2026-23195
No comments yet