CVE-2026-23225— sched/mmcid: Don't assume CID is CPU owned on mode switch
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23225
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
sched/mmcid: Don't assume CID is CPU owned on mode switch
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1 T1 runs in userspace T0: fork(T4) -> Switch to per CPU CID mode fixup() set MM_CID_TRANSIT on T1/CPU1 T4 exit() T3 exit() T2 exit() T1 exit() switch to per task mode ---> Out of bounds access. As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in the task and drops the CID, but it does not touch the per CPU storage. That's functionally correct because a CID is only owned by the CPU when the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag. Now sched_mm_cid_exit() assumes that the CID is CPU owned because the prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the not set ONCPU bit and then invokes clear_bit() with an insanely large bit number because TRANSIT is set (bit 29). Prevent that by actually validating that the CID is CPU owned in mm_drop_cid_on_cpu().
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于在模式切换时错误假设CID由CPU拥有,可能导致越界访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23225
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23225
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-02-18 · 31 CVEs total
| CVE-2026-23230 | 8.8 HIGH | smb: client: split cached_fid bitfields to avoid shared-byte RMW races |
| CVE-2026-23226 | 8.8 HIGH | ksmbd: add chann_lock to protect ksmbd_chann_list xarray |
| CVE-2026-23227 | 7.8 HIGH | drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to |
| CVE-2026-23224 | 7.8 HIGH | erofs: fix UAF issue for file-backed mounts w/ directio option |
| CVE-2026-23222 | 7.8 HIGH | crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly |
| CVE-2025-71233 | PCI: endpoint: Avoid creating sub-groups asynchronously | |
| CVE-2026-23229 | crypto: virtio - Add spinlock protection with virtqueue notification | |
| CVE-2026-23228 | smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() | |
| CVE-2026-23223 | xfs: fix UAF in xchk_btree_check_block_owner | |
| CVE-2026-23221 | bus: fsl-mc: fix use-after-free in driver_override_show() | |
| CVE-2026-23220 | ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths | |
| CVE-2025-71237 | nilfs2: Fix potential block overflow that cause system hang | |
| CVE-2025-71236 | scsi: qla2xxx: Validate sp before freeing associated memory | |
| CVE-2025-71235 | scsi: qla2xxx: Delay module unload while fabric scan in progress | |
| CVE-2025-71234 | wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add | |
| CVE-2026-23211 | mm, swap: restore swap_space attr aviod kernel panic | |
| CVE-2025-71232 | scsi: qla2xxx: Free sp in error path to fix system crash | |
| CVE-2025-71231 | crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode | |
| CVE-2025-71230 | hfs: ensure sb->s_fs_info is always cleaned up | |
| CVE-2025-71229 | wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() |
Showing top 20 of 31 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2026-23225
No comments yet