CVE-2026-23144 Overview
A memory leak and resource cleanup vulnerability has been identified in the Linux kernel's DAMON (Data Access MONitor) sysfs interface. When a context DAMON sysfs directory setup fails after the setup of the attrs/ directory, subdirectories of the attrs/ directory are not properly cleaned up. This improper resource management leads to memory leaks and can render the DAMON sysfs interface nearly broken until the system is rebooted.
Critical Impact
The DAMON sysfs interface becomes nearly non-functional after a directory setup failure, requiring a system reboot to restore functionality. Additionally, memory allocated for unremoved directories is leaked, potentially contributing to resource exhaustion over time.
Affected Products
- Linux Kernel (multiple versions with DAMON sysfs support)
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23144 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23144
Vulnerability Analysis
This vulnerability exists in the Linux kernel's memory management subsystem, specifically within the DAMON (Data Access MONitor) sysfs interface implementation located in mm/damon/sysfs. DAMON is a kernel subsystem that monitors data access patterns and provides this information through a sysfs interface for user-space applications.
The issue occurs during the context directory setup process. When the setup of a context DAMON sysfs directory fails after the attrs/ directory and its subdirectories have already been created, the error handling path does not properly clean up these already-created subdirectories. This failure to deallocate resources results in orphaned directory structures that persist in memory.
The practical impact is twofold: first, the DAMON sysfs interface becomes largely unusable after such a failure, severely degrading the system's memory monitoring capabilities until a reboot. Second, the memory associated with these orphaned directories is never freed, constituting a memory leak that could compound over time if the failure condition is triggered repeatedly.
Root Cause
The root cause is improper error handling in the DAMON sysfs context directory setup code path. When an error occurs during setup after the attrs/ subdirectories have been created, the cleanup routine fails to traverse and remove these nested directory structures. This is a classic resource leak pattern where partial initialization is not properly rolled back on failure.
Attack Vector
The attack vector for this vulnerability is local, as it requires interaction with the kernel's sysfs interface. An attacker with local access could potentially trigger the directory setup failure condition repeatedly to cause memory exhaustion or degrade system functionality by breaking the DAMON interface. However, exploitation would typically require elevated privileges to interact with the DAMON sysfs interface.
The vulnerability manifests during the context directory setup process in the DAMON sysfs interface. When the setup fails after attrs/ subdirectories have been created, the error handling path does not properly clean up the already-created structures. For technical details, see the kernel git commits that address this issue.
Detection Methods for CVE-2026-23144
Indicators of Compromise
- Unexplained growth in kernel memory usage over time
- DAMON sysfs interface becoming unresponsive or returning errors
- Orphaned directory entries in /sys/kernel/mm/damon/ that persist across DAMON operations
- System logs indicating failures in DAMON context directory setup
Detection Strategies
- Monitor kernel memory allocation patterns for gradual increases without corresponding frees
- Implement automated checks for DAMON sysfs interface health and functionality
- Use kernel memory debugging tools like kmemleak to detect unreferenced memory allocations
- Review system logs for DAMON-related error messages during context setup operations
Monitoring Recommendations
- Deploy SentinelOne agents to monitor for abnormal kernel memory behavior patterns
- Establish baseline memory metrics for systems using DAMON and alert on deviations
- Configure automated health checks for the DAMON sysfs interface
- Monitor /sys/kernel/mm/damon/ for unexpected directory structures or states
How to Mitigate CVE-2026-23144
Immediate Actions Required
- Apply the kernel patches provided in the referenced git commits
- Restart affected systems after patching to ensure clean DAMON sysfs state
- If patching is not immediately possible, avoid operations that could trigger DAMON context directory setup failures
- Monitor affected systems for signs of memory leaks or DAMON interface degradation
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that directories under attrs/ are properly cleaned up when a context directory setup failure occurs. Multiple commits have been provided for different kernel stable branches:
- Kernel Git Commit 43964644348f
- Kernel Git Commit 5651c0c391c0
- Kernel Git Commit 78b4eb99751e
- Kernel Git Commit 9814cc832b88
- Kernel Git Commit db7dfe78fc81
Workarounds
- If patching is not immediately feasible, consider disabling DAMON functionality if not required for operations
- Implement proactive system reboots during maintenance windows to clear any accumulated leaked memory
- Limit access to the DAMON sysfs interface to only trusted administrators
- Use container isolation or namespacing to limit the impact of potential exploitation
# Check current kernel version and DAMON status
uname -r
ls -la /sys/kernel/mm/damon/
# Verify patch status by checking if the fix commits are included
# Update to a patched kernel version
sudo apt update && sudo apt upgrade linux-image-generic
# After patching, reboot to ensure clean state
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
