CVE-2026-23225
Description
In the Linux kernel, the following vulnerability has been resolved:
sched/mmcid: Don't assume CID is CPU owned on mode switch
Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code.
CPU0 CPU1 T1 runs in userspace T0: fork(T4) -> Switch to per CPU CID mode fixup() set MM_CID_TRANSIT on T1/CPU1 T4 exit() T3 exit() T2 exit() T1 exit() switch to per task mode ---> Out of bounds access.
As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in the task and drops the CID, but it does not touch the per CPU storage. That's functionally correct because a CID is only owned by the CPU when the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.
Now sched_mm_cid_exit() assumes that the CID is CPU owned because the prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the not set ONCPU bit and then invokes clear_bit() with an insanely large bit number because TRANSIT is set (bit 29).
Prevent that by actually validating that the CID is CPU owned in mm_drop_cid_on_cpu().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel MMCID management bug causes an out-of-bounds access when a task exits with a stale TRANSIT bit, leading to a potential KASAN UAF.
Vulnerability
Overview
CVE-2026-23225 is a high-severity vulnerability in the Linux kernel's MMCID (per-task memory context ID) management code. The root cause is a race condition where a task can exit while still holding a TRANSIT bit in its MMCID state, without the corresponding per-CPU ONCPU bit being set. The kernel's exit path then incorrectly assumes the CID is CPU-owned and attempts to clear the ONCPU bit, which is not set, leading to an out-of-bounds access via clear_bit() with an invalid bit number derived from the TRANSIT flag (bit 29). This was discovered via a KASAN report of a use-after-free (UAF) [1].
Exploitation
Conditions
Exploitation requires a specific race condition between multiple CPUs. As described in the kernel commit, CPU0 forks a new task (T4) and switches to per-CPU CID mode, setting the MM_CID_TRANSIT bit on T1 running on CPU1. Meanwhile, T1 continues running in userspace and then exits without ever scheduling after the TRANSIT bit was set. When T1's exit handler runs sched_mm_cid_remove_user(), it clears the TRANSIT bit in the task and drops the CID, but does not update the per-CPU storage. Subsequently, sched_mm_cid_exit() incorrectly assumes the CID is CPU-owned because the prior mode was per-CPU, and calls mm_drop_cid_on_cpu(), which triggers the out-of-bounds access [1].
Impact
An attacker who can trigger this race condition (likely requiring local access and the ability to create and exit processes in a specific timing window) could cause a kernel crash or potentially escalate privileges. The KASAN report indicates a use-after-free, which may be exploitable for arbitrary code execution in the kernel context. The CVSS v3 score of 7.8 reflects the high impact on confidentiality, integrity, and availability [1].
Mitigation
The fix is included in the Linux kernel stable tree as commit 81f29975631db8a78651b3140ecd0f88ffafc476. The patch adds a validation check in mm_drop_cid_on_cpu() to ensure the CID is actually CPU-owned before attempting to clear the ONCPU bit. Users should apply the latest kernel updates from their distribution to remediate this vulnerability [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.