VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2026

CVE-2026-43489

CVE-2026-43489

Description

In the Linux kernel, the following vulnerability has been resolved:

liveupdate: luo_file: remember retrieve() status

LUO keeps track of successful retrieve attempts on a LUO file. It does so to avoid multiple retrievals of the same file. Multiple retrievals cause problems because once the file is retrieved, the serialized data structures are likely freed and the file is likely in a very different state from what the code expects.

The retrieve boolean in struct luo_file keeps track of this, and is passed to the finish callback so it knows what work was already done and what it has left to do.

All this works well when retrieve succeeds. When it fails, luo_retrieve_file() returns the error immediately, without ever storing anywhere that a retrieve was attempted or what its error code was. This results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace, but nothing prevents it from trying this again.

The retry is problematic for much of the same reasons listed above. The file is likely in a very different state than what the retrieve logic normally expects, and it might even have freed some serialization data structures. Attempting to access them or free them again is going to break things.

For example, if memfd managed to restore 8 of its 10 folios, but fails on the 9th, a subsequent retrieve attempt will try to call kho_restore_folio() on the first folio again, and that will fail with a warning since it is an invalid operation.

Apart from the retry, finish() also breaks. Since on failure the retrieved bool in luo_file is never touched, the finish() call on session close will tell the file handler that retrieve was never attempted, and it will try to access or free the data structures that might not exist, much in the same way as the retry attempt.

There is no sane way of attempting the retrieve again. Remember the error retrieve returned and directly return it on a retry. Also pass this status code to finish() so it can make the right decision on the work it needs to do.

This is done by changing the bool to an integer. A value of 0 means retrieve was never attempted, a positive value means it succeeded, and a negative value means it failed and the error code is the value.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A failure to track retrieve status in Linux kernel's liveupdate subsystem can lead to use-after-free or double-free on retry or session close.

Vulnerability

In the Linux kernel's liveupdate (LUO) subsystem, the luo_file structure uses a retrieved boolean to track successful retrieval attempts. When luo_retrieve_file() fails, the error is returned immediately without updating retrieved. This allows a subsequent LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to retry, or the finish() callback to assume retrieval was never attempted, leading to access of freed or inconsistent data structures. The issue affects all kernel versions with the LUO feature [1][2].

Exploitation

An attacker with the ability to invoke the LIVEUPDATE_SESSION_RETRIEVE_FD ioctl (requiring local access or specific privileges) can trigger a failed retrieve, e.g., by causing a partial restoration failure. After the first failure, a retry attempt will try to restore already-restored folios, causing warnings or corruption. Alternatively, closing the session calls finish(), which may free data structures that were partially freed, leading to a double-free [1][2].

Impact

Successful exploitation can result in memory corruption, system crash, or potentially privilege escalation. The vulnerability allows a local attacker to trigger a use-after-free or double-free condition, compromising system stability and security [1][2].

Mitigation

The fix is included in Linux kernel commits [1] and [2]. The commits ensure that the error status is stored and returned on retry, and passed to finish(). Users should apply the latest stable kernel updates. No workaround is available; systems must be patched [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
f85b1c6af5bc
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
1d3ad69484dc
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"The `retrieved` boolean in `struct luo_file` is never set on failed `luo_retrieve_file()` calls, allowing retry and causing use-after-free or double-free of serialization data structures."

Attack vector

An attacker with the ability to invoke the `LIVEUPDATE_SESSION_RETRIEVE_FD` ioctl can trigger a partial restore (e.g., memfd restores 8 of 10 folios then fails). Because the `retrieved` boolean is never updated on failure, the attacker can retry the ioctl, causing the kernel to re-enter restore logic on already-partially-restored data structures. This leads to invalid operations such as calling `kho_restore_folio()` on an already-restored folio, triggering kernel warnings or memory corruption. The same missing boolean update also causes the `finish()` callback on session close to assume no retrieve was attempted, leading to access or double-free of freed serialization data.

Affected code

The vulnerability is in the liveupdate subsystem's `luo_file` handling, specifically the `retrieved` boolean in `struct luo_file` and the `luo_retrieve_file()` function. The patch modifies the boolean to an integer status field and updates the logic in `luo_retrieve_file()` and the `finish()` callback to propagate and check the error status.

What the fix does

The patch changes the `retrieved` boolean in `struct luo_file` to an integer status field. A value of 0 means retrieve was never attempted, a positive value means it succeeded, and a negative value stores the error code from a failed retrieve. On a failed `luo_retrieve_file()` call, the error code is now stored in this field. Subsequent retry attempts check this field and return the stored error immediately without re-entering the restore logic. The `finish()` callback also receives this status so it can correctly determine what cleanup work is needed, preventing access to freed or partially-initialized data structures.

Preconditions

  • authAttacker must have the capability to invoke the LIVEUPDATE_SESSION_RETRIEVE_FD ioctl on a liveupdate session
  • inputThe retrieve operation must partially fail (e.g., memfd restores some but not all folios) to leave data structures in an inconsistent state

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.