VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 2, 2026· Updated Apr 24, 2026

CVE-2026-23416

CVE-2026-23416

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/mseal: update VMA end correctly on merge

Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA.

However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_start on the next iteration.

Resolve the issue by setting curr_end to vma->vm_end unconditionally to ensure this value remains updated should this occur.

While we're here, eliminate this entire class of bug by simply setting const curr_[start/end] to be clamped to the input range and VMAs, which also happens to simplify the logic.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A logic bug in mseal VMA merging can cause incorrect end address calculation, leading to wrong VMA tracking.

The vulnerability is a logic error in the Linux kernel's mseal mechanism for memory sealing. When iterating over VMAs, the code stored the end (curr_end) of the current VMA was saved and then used to set the start (curr_start) of the next VMA. However, if vma_modify_flags() merges the current VMA, curr_end could update curr_end, making it stale. The fix updates curr_end unconditionally to vma->vm_end and simplifies the iteration by clamping curr_start/curr_end to the input range and VMAs [1][3].

Attack

Vector Exploitation requires local access and the ability to trigger VMA merging operations. The bug can cause incorrect VMA tracking when using mseal flags, potentially malforming subsequent memory management operations. No special privileges beyond user-level access are needed if the attacker can induce the merge scenario [1].

Impact

An attacker could cause the kernel to maintain incorrect VMA boundaries, which could lead to unexpected behavior, such as improper sealing of memory regions or memory corruption. This may result in a denial of service or potentially enable further exploitation. The CVSS v3 score of 5.5 (Medium) reflects local access required and moderate impact [1].

Mitigation

Multiple stable kernel trees have backported the fix, as indicated by the commit references [1][2][3]. Users should update to patched versions. There is no known workaround.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel10 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.17.1,<6.18.21
    • cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.