CVE-2026-23056
Description
In the Linux kernel, the following vulnerability has been resolved:
uacce: implement mremap in uacce_vm_ops to return -EPERM
The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users.
The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario:
An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's uacce driver, missing mremap implementation could lead to double free; patch disables mremap by returning -EPERM.
Root
Cause The uacce driver's vm_operations_struct did not implement the .mremap operation, causing the default mremap behavior to be used. The default mremap copies the original VMA's vm_private_data (which points to the queue structure q) to the new VMA. If an application performs mmap, mremap, munmap on the original address, and then munmap on the new address, both munmap calls trigger vma_close, leading to a double free of q->qfr (though qfr is set to NULL after the first free, the double free is still a bug) [1][2][3].
Exploitation
An attacker with local access and the ability to mmap and mremap a uacce device can trigger this double-free condition. No special privileges beyond access to the uacce device are required. The attack involves a specific sequence of memory operations that exploit the missing mremap restriction [1].
Impact
A double free can lead to memory corruption, potentially allowing an attacker to achieve privilege escalation or cause a denial of service (system crash). The severity is considered moderate as it requires local access and specific conditions [1][2][3].
Mitigation
The fix implements the .mremap callback in uacce_vm_ops to return -EPERM, explicitly disabling mremap on uacce mappings. This prevents the risky memory operations. Users should apply the corresponding stable kernel patches to address CVE-2026-23056 [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7nvd
- git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07nvd
- git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06fnvd
- git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3nvd
- git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686eenvd
- git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1nvd
- git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6nvd
News mentions
0No linked articles in our index yet.