CVE-2026-23025 Overview
CVE-2026-23025 is a race condition vulnerability in the Linux kernel's memory management subsystem, specifically affecting the per-CPU page allocator (mm/page_alloc) when compiled with SMP=n (uniprocessor configuration). The vulnerability allows for corruption of the per-CPU pages (pcp) structure due to improper spinlock handling during interrupt-driven memory operations.
Critical Impact
Kernel memory corruption affecting systems compiled with SMP=n can lead to system instability, denial of service, and potential exploitation of corrupted memory structures.
Affected Products
- Linux kernel version 6.18.0-rc5 and potentially earlier versions
- Systems compiled with SMP=n (uniprocessor) configuration
- Systems with the memory compaction daemon (kcompactd) active
Discovery Timeline
- 2026-01-31 - CVE CVE-2026-23025 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23025
Vulnerability Analysis
This vulnerability stems from a design flaw in the per-CPU page allocator's locking mechanism when the kernel is compiled without symmetric multiprocessing support (SMP=n). The kernel test robot identified a spinlock trylock failure during the execution of the kcompactd0 memory compaction daemon.
In the affected code path, when drain_pages_zone() holds spin_lock(&pcp->lock), an interrupt can occur that eventually calls __free_frozen_pages() which attempts spin_trylock() on the same lock. While this design is intended to work on SMP systems by allowing the trylock to fail with a fallback mechanism, the uniprocessor spinlock implementation assumes spin_trylock() will always succeed, making it effectively a no-op.
The issue was introduced by commit 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"), which optimized the pcp locking scheme but failed to account for the nesting scenario in spin_lock() sections on SMP=n configurations.
Root Cause
The root cause is the asymmetric behavior between SMP and SMP=n spinlock implementations. The pcp locking scheme recognized the need to disable IRQs to prevent nesting spin_trylock() sections on uniprocessor systems, but the code did not account for the same nesting requirement when using spin_lock(). On SMP=n systems, both spin_lock() and spin_trylock() are simplified implementations that don't handle the case where an interrupt handler attempts to acquire a lock already held by the interrupted context.
Attack Vector
The vulnerability is triggered through normal kernel operations rather than external attack vectors. When the memory compaction daemon (kcompactd) is draining pages and an interrupt occurs that triggers memory freeing operations through the RCU callback mechanism, the lock nesting condition manifests. The call chain involves:
- kcompactd calls drain_pages_zone() holding pcp->lock
- An APIC timer interrupt fires during this critical section
- The interrupt handler processes softirqs including RCU callbacks
- tlb_remove_table_rcu() eventually calls __free_frozen_pages()
- The free operation attempts spin_trylock() on the already-held pcp->lock
While exploitation requires specific timing conditions, the corruption of pcp structures could potentially be leveraged for privilege escalation or denial of service attacks on affected systems.
Detection Methods for CVE-2026-23025
Indicators of Compromise
- Kernel log messages showing "BUG: spinlock trylock failure on UP" errors
- Stack traces referencing __free_frozen_pages, drain_pages_zone, and kcompactd in the call chain
- System crashes or hangs during heavy memory operations
- Unexpected behavior in memory compaction operations
Detection Strategies
- Monitor kernel logs (dmesg) for spinlock debugging messages containing "trylock failure on UP"
- Enable CONFIG_DEBUG_SPINLOCK kernel option to catch lock violations
- Track system stability issues on uniprocessor kernel configurations
- Review kernel configuration for SMP=n setting in /proc/config.gz or kernel config files
Monitoring Recommendations
- Implement kernel log monitoring for spinlock-related error messages
- Set up alerts for kernel panics or oops involving mm/page_alloc.c
- Monitor memory subsystem health through /proc/vmstat and /proc/buddyinfo
- Track kcompactd process behavior and resource utilization
How to Mitigate CVE-2026-23025
Immediate Actions Required
- Apply the kernel patches from the official kernel git repository
- Consider recompiling the kernel with SMP=y if hardware supports multiple processors
- Monitor affected systems closely for signs of memory corruption
- Schedule maintenance windows for kernel updates on production systems
Patch Information
The fix introduces local wrapper functions that change spin_lock() to spin_lock_irqsave() specifically for SMP=n configurations. These wrappers with the pcp_ prefix are applied to all code paths that acquire spin_lock(&pcp->lock), ensuring IRQs are disabled during the critical section and preventing the lock nesting issue.
Multiple patch commits are available from the kernel git repository:
- Kernel Git Commit 038a102
- Kernel Git Commit 3098f8f
- Kernel Git Commit 4a04ff9
- Kernel Git Commit df63d31
Workarounds
- Compile kernel with CONFIG_SMP=y to use the full SMP-aware spinlock implementation
- Disable memory compaction temporarily by setting /proc/sys/vm/compact_memory to 0
- Enable kernel lock debugging (CONFIG_DEBUG_SPINLOCK) to detect issues early
- Consider limiting memory pressure to reduce compaction daemon activity
# Check if kernel is compiled with SMP support
zcat /proc/config.gz | grep CONFIG_SMP
# Temporarily disable memory compaction (workaround)
echo 0 > /proc/sys/vm/compact_memory
# Monitor for spinlock issues in kernel logs
dmesg -w | grep -i "spinlock\|trylock"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
