CVE-2026-23161 Overview
A race condition vulnerability has been identified in the Linux kernel's memory management subsystem, specifically in the shmem swap freeing helper. The vulnerability exists in the handling of swap entry order during truncate operations, where xa_get_order is called without proper lock protection before xa_cmpxchg_irq, allowing the entry order value to become outdated if the entry is split or modified between these operations.
This flaw can lead to truncation operations erasing data beyond the intended end border when the order value grows unexpectedly. In stress testing scenarios with ZSWAP and shmem, the vulnerability has been observed to cause random swapoff hangs and kernel panics.
Critical Impact
This race condition in Linux kernel memory management can cause kernel panics and system hangs during swap operations, potentially leading to denial of service conditions on affected systems.
Affected Products
- Linux kernel (affected versions with shmem swap handling)
- Systems utilizing ZSWAP with shared memory
- Systems with heavy swap utilization and shmem workloads
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23161 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23161
Vulnerability Analysis
The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) race condition in the Linux kernel's shmem swap freeing mechanism. The core issue stems from the separation between reading the swap entry order via xa_get_order and performing the atomic compare-and-exchange operation with xa_cmpxchg_irq, without maintaining proper lock protection across both operations.
When the target entry and subsequent entries are swapped in or freed, and then a large folio is added in place and swapped out using the same entry, the xa_cmpxchg_irq operation can still succeed despite operating on stale order information. This can result in truncation operations inadvertently erasing data beyond the intended boundaries.
The manifestation of this vulnerability during stress testing included random swapoff hangs and kernel panics, indicating that the race condition can lead to memory corruption or invalid memory access patterns.
Root Cause
The root cause is the lack of lock protection between retrieving the entry order with xa_get_order and the subsequent atomic operation xa_cmpxchg_irq. This creates a window during which the swap entry can be split, changed, or replaced by a larger folio, causing the cached order value to become invalid. The fix requires placing both the order retrieval and value checking operations within the same critical section to ensure atomicity.
Attack Vector
This vulnerability is triggered through local operations involving shmem truncation and swap operations. An attacker with local access could potentially trigger the race condition by:
- Creating conditions where swap entries are rapidly freed and reallocated
- Forcing large folio allocations during truncate operations
- Generating heavy concurrent workloads on shmem with ZSWAP enabled
The attack requires local access to the system and the ability to trigger memory-intensive operations that stress the swap subsystem.
The vulnerability manifests in the Xarray operations within the shmem swap freeing helper. The fix involves open-coding the Xarray cmpxchg operation to place order retrieval and value checking in the same critical section, while also ensuring the order doesn't exceed the end border. See the kernel git commits for technical implementation details.
Detection Methods for CVE-2026-23161
Indicators of Compromise
- Unexpected kernel panics or system crashes during swap operations
- Random swapoff command hangs without completion
- Kernel log messages indicating memory corruption in shmem subsystem
- Unusual system instability during high memory pressure scenarios
Detection Strategies
- Monitor kernel logs for panic traces involving mm/shmem or swap-related functions
- Implement system monitoring for unexpected swapoff hangs or timeouts
- Use kernel debugging tools to detect TOCTOU race conditions in swap handling
- Deploy crash dump analysis to identify memory corruption patterns consistent with this vulnerability
Monitoring Recommendations
- Enable kernel crash dump collection for forensic analysis of any system panics
- Monitor system swap utilization and correlate with stability issues
- Implement alerting for swapoff operations that exceed normal completion times
- Review system logs for memory management warnings or errors related to shmem
How to Mitigate CVE-2026-23161
Immediate Actions Required
- Apply the kernel security patches from the official kernel git repository
- Schedule system updates during maintenance windows to apply the fix
- Consider temporarily reducing swap utilization on critical systems until patched
- Monitor affected systems closely for signs of instability
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix open-codes the Xarray cmpxchg operation to ensure proper lock protection and places the order retrieval and value checking within the same critical section. The patches also ensure the order won't exceed the end border and skip entries that cross the border.
Patches are available from the following kernel git commits:
Workarounds
- Reduce or disable ZSWAP on affected systems if immediate patching is not possible
- Limit shmem workloads that involve heavy truncation operations
- Consider disabling swap temporarily on critical systems until patches can be applied
- Implement system monitoring to detect and respond to instability symptoms
# Temporary workaround: Reduce swap pressure on affected systems
# Check current swap status
swapon --show
# Adjust swappiness to reduce swap usage (temporary measure)
sysctl vm.swappiness=10
# Monitor for swap-related issues
dmesg | grep -i "shmem\|swap\|panic"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
