CVE-2026-23142 Overview
A memory leak and resource management vulnerability has been identified in the Linux kernel's DAMON (Data Access MONitoring) subsystem. The flaw exists in the mm/damon/sysfs-scheme component, where subdirectories of the access_pattern/ directory fail to be properly cleaned up when a DAMOS-scheme DAMON sysfs directory setup fails after initial directory creation.
This improper cleanup can lead to memory leakage and leave the DAMON sysfs interface in a broken state, requiring a system reboot to restore normal functionality.
Critical Impact
The vulnerability causes persistent resource leakage and can render the DAMON sysfs interface non-functional until system reboot, impacting memory monitoring and management capabilities.
Affected Products
- Linux Kernel (affected versions with DAMON sysfs-scheme support)
- Systems utilizing DAMON for data access monitoring
- Linux distributions with vulnerable kernel versions
Discovery Timeline
- February 14, 2026 - CVE CVE-2026-23142 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23142
Vulnerability Analysis
This vulnerability is a Memory Leak issue in the Linux kernel's memory management subsystem. The root of the problem lies in the error handling path of the DAMON sysfs directory setup routine. When a DAMOS-scheme directory setup operation fails after successfully creating the access_pattern/ directory and its subdirectories, the cleanup routine fails to properly remove these already-created subdirectories.
The consequence is twofold: memory allocated for the unremoved directory structures is never freed (memory leak), and the DAMON sysfs interface becomes nearly unusable until a full system reboot is performed. This affects systems that rely on DAMON for data access pattern monitoring and memory management optimization.
Root Cause
The vulnerability stems from incomplete error handling in the sysfs directory setup code path. When the setup function encounters a failure condition after the access_pattern/ directory and its subdirectories have been created, the error handling code does not traverse and remove these partially created directory structures. This leaves orphaned sysfs entries that consume kernel memory and interfere with subsequent DAMON operations.
Attack Vector
The attack vector for this vulnerability is currently unknown. As a kernel-level resource management issue, exploitation would typically require local access and the ability to trigger DAMON sysfs operations. The vulnerability is more likely to manifest as a reliability issue rather than a direct security exploit, though persistent memory leaks could potentially be leveraged for denial of service scenarios.
The vulnerability was resolved by implementing proper cleanup of the access_pattern/ subdirectories when setup failures occur. Multiple patch commits have been applied to the kernel stable branches to address this issue. For technical details, refer to the kernel git commits.
Detection Methods for CVE-2026-23142
Indicators of Compromise
- Unexplained memory growth in kernel space related to sysfs structures
- DAMON sysfs interface becoming unresponsive or returning errors
- Orphaned directory entries under /sys/kernel/mm/damon/ paths
- System logs indicating DAMON sysfs setup failures
Detection Strategies
- Monitor kernel memory usage for gradual increases that may indicate memory leaks
- Implement health checks for DAMON sysfs interface functionality
- Review kernel logs for DAMON-related error messages or setup failures
- Track sysfs directory creation and cleanup operations through audit subsystem
Monitoring Recommendations
- Configure kernel memory monitoring to alert on unusual growth patterns
- Implement automated DAMON functionality tests as part of system health monitoring
- Set up log aggregation to capture and analyze DAMON-related kernel messages
- Consider using SentinelOne Singularity platform for comprehensive kernel-level monitoring and anomaly detection
How to Mitigate CVE-2026-23142
Immediate Actions Required
- Update to a patched kernel version containing the fix commits
- If immediate patching is not possible, avoid DAMON sysfs operations that may trigger the vulnerability
- Plan for system reboots if DAMON functionality becomes degraded
- Monitor systems for symptoms of the vulnerability until patches can be applied
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures proper cleanup of access_pattern/ subdirectories when scheme directory setup fails. The patches are available through the following kernel git commits:
Organizations should apply the appropriate patch for their kernel version branch.
Workarounds
- Minimize or avoid using DAMON sysfs-scheme operations until the patch is applied
- Implement scheduled system reboots to clear leaked memory if DAMON usage is required
- Consider disabling DAMON functionality temporarily if not critical to operations
- Deploy monitoring to detect and alert on DAMON interface degradation
# Check current kernel version
uname -r
# Verify DAMON sysfs interface status
ls -la /sys/kernel/mm/damon/
# Monitor kernel memory usage for sysfs structures
cat /proc/meminfo | grep -i slab
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
