CVE-2026-23177 Overview
CVE-2026-23177 is a Linux kernel vulnerability in the shared memory (shmem) subsystem. The flaw allows an infinite loop in the kernel when truncating a large swap entry under a specific race condition. When index points to the middle of a large swap entry that does not cross the truncation end boundary, find_get_entries() returns the entry with indices[0] equal to index, while shmem_free_swap() fails the base < index check and returns 0. The truncate loop then retries at the same index indefinitely, producing a kernel-side denial of service condition on affected systems.
Critical Impact
Local processes triggering a truncate race on shmem-backed swap entries can drive the kernel into an infinite loop, exhausting CPU and causing denial of service.
Affected Products
- Linux kernel mm/shmem subsystem (mainline)
- Stable kernel branches receiving the fix referenced by commits 2030dddf, 7b6a0f12, and dfc3ab6b
- Distributions shipping pre-patch kernels with large swap entry support enabled
Discovery Timeline
- 2026-02-14 - CVE-2026-23177 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-23177
Vulnerability Analysis
The vulnerability is an infinite loop (Denial of Service) in the Linux kernel mm/shmem.c truncate path. When truncating tmpfs or shmem-backed memory, the kernel iterates over page cache entries with find_get_entries() and frees swap entries through shmem_free_swap(). The function returns 0 if an entry's base index does not match the requested index because of lookup alignment with large (multi-order) swap entries.
The fallback path validates whether the entry crosses the truncate end boundary to avoid erasing unrelated data. However, when index lands in the middle of a large swap entry that lies entirely within the truncation range, the entry is returned with indices[0] == index. Because the entry's base index is smaller than index, the base < index guard rejects the free, and the loop retries at the unchanged index. Each iteration recovers the same entry, producing a non-terminating loop inside kernel context.
Root Cause
The root cause is missing index alignment in the retry logic of the shmem truncate path. The loop does not round the index down to the base of a large swap entry before retrying, so progress is never made when a mid-entry index satisfies both the base < index rejection and the end-boundary check.
Attack Vector
A local attacker capable of allocating shmem or tmpfs regions backed by large swap entries can trigger truncate operations that race with swap entry placement. When the race aligns index to the middle of a large swap entry, the kernel enters the infinite loop. No remote vector is documented, and the impact is availability of the affected host.
No public exploit code, proof-of-concept, or in-the-wild exploitation has been reported. The fix is described in upstream patches referenced by commits 2030dddf, 7b6a0f12, and dfc3ab6b.
Detection Methods for CVE-2026-23177
Indicators of Compromise
- A kernel thread or user process pinned at 100% CPU inside the shmem_undo_range or shmem_truncate_range call path.
- Soft lockup or RCU stall messages in dmesg referencing shmem_free_swap, find_get_entries, or shmem_undo_range.
- Unresponsive tmpfs file operations or hung truncate(2) / ftruncate(2) syscalls on shmem-backed files.
Detection Strategies
- Monitor /proc/<pid>/stack for processes stuck in shmem truncate routines while consuming sustained CPU.
- Alert on kernel softlockup or hung_task warnings emitted via kern.log or the systemd journal.
- Correlate elevated system CPU time on hosts running tmpfs-heavy workloads with truncate or unlink activity.
Monitoring Recommendations
- Ingest kernel log streams into a centralized log platform and create rules for BUG:, soft lockup, and RCU stall events tied to shmem_* symbols.
- Track per-process CPU time and syscall latency for workloads using memfd_create, tmpfs, or shared memory segments.
- Audit kernel package versions across the fleet to identify hosts still running pre-patch builds.
How to Mitigate CVE-2026-23177
Immediate Actions Required
- Apply the upstream stable kernel updates that include commits 2030dddf, 7b6a0f12, and dfc3ab6b.
- Reboot affected systems after kernel installation to load the patched image.
- Restrict local user access on multi-tenant hosts until patches are rolled out.
Patch Information
The upstream fix rounds the truncate retry index down to the base of the large swap entry and aborts when the rounded index is smaller than the truncate range. Distribution maintainers have backported the change to supported stable branches. Consult the Linux kernel stable tree and your distribution's security advisories for the appropriate package version.
Workarounds
- Disable or limit swap on hosts that cannot be patched promptly, reducing the likelihood of large swap entries appearing in shmem.
- Constrain tmpfs and shared memory allocations for untrusted local users through cgroup memory.max and memory.swap.max limits.
- Enable kernel softlockup_panic to recover via reboot rather than remaining hung, where availability tradeoffs allow it.
# Verify the running kernel includes the fix commit
uname -r
rpm -q --changelog kernel | grep -E 'shmem_free_swap|truncate race' | head
# Restrict tmpfs size for untrusted workloads (example mount)
mount -o remount,size=512M,nr_inodes=100k /dev/shm
# Enable panic on soft lockup as a recovery safeguard
sysctl -w kernel.softlockup_panic=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
