CVE-2026-23195 Overview
CVE-2026-23195 is a Use-After-Free (UAF) vulnerability in the Linux kernel's cgroup device memory (dmem) subsystem. The vulnerability occurs when a memory pool is freed while callers still hold references to it, leading to a slab-use-after-free condition in the page_counter_uncharge function. This can result in memory corruption and potential system instability.
Critical Impact
The vulnerability allows a Use-After-Free condition in the kernel's memory management subsystem, potentially leading to kernel memory corruption, denial of service, or privilege escalation when a cgroup dmem pool is accessed after being freed.
Affected Products
- Linux kernel versions with cgroup/dmem functionality
- Linux kernel version 6.19.0-rc7-next-20260129 and potentially earlier versions
- Systems using device memory cgroup (dmem) features
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23195 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23195
Vulnerability Analysis
This Use-After-Free vulnerability exists in the Linux kernel's cgroup device memory (dmem) pool management code. The issue manifests when a memory region associated with a dmem pool is unregistered while callers still hold active references to the pool. The kernel frees the pool memory prematurely, but subsequent operations—such as dmem_cgroup_uncharge—attempt to access the now-freed memory structure.
The KASAN (Kernel Address Sanitizer) report indicates an 8-byte write operation occurring at a memory address within a freed 512-byte slab allocation. The offending access occurs in the page_counter_uncharge function, which is called during the charge accounting cleanup process. This creates a dangerous window where memory that has been returned to the slab allocator can be corrupted by stale pointer dereferences.
Root Cause
The root cause is improper lifetime management of dmem pool objects. The original implementation lacked reference counting for pool structures, allowing pools to be freed during memory region unregistration even when external callers still held references to them. Without proper reference counting, the kernel cannot track whether the pool is still in use by other components, leading to premature deallocation.
The call trace shows dmem_cgroup_uncharge at offset 0x1f/0x260 invoking page_counter_uncharge at offset 0x65/0x150, demonstrating that uncharge operations were attempting to access pool data structures that had already been freed by task 0 (the idle/swapper task or kworker).
Attack Vector
The attack vector for this vulnerability involves triggering the race condition between pool deallocation and uncharge operations. An attacker with the ability to load kernel modules (as indicated by task insmod/527 in the trace) or manipulate cgroup device memory registrations could potentially exploit this condition.
The vulnerability can be triggered by:
- Allocating and using a dmem cgroup pool
- Initiating an unregister operation on the associated memory region
- Racing with pending uncharge operations that still reference the pool
- Causing the kernel to write to freed memory, potentially corrupting subsequent allocations
While exploitation complexity is non-trivial due to the timing requirements, successful exploitation could lead to kernel memory corruption, denial of service, or potentially privilege escalation if an attacker can control the contents of the reallocated slab object.
Detection Methods for CVE-2026-23195
Indicators of Compromise
- Kernel log messages containing "KASAN: slab-use-after-free in page_counter_uncharge"
- System crashes or kernel panics during cgroup dmem operations
- Tainted kernel flags indicating out-of-tree module activity ([O]=OOT_MODULE)
- Unexpected kernel memory state errors in the kmalloc-512 cache
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in kernel builds to detect UAF conditions at runtime
- Monitor kernel logs for memory corruption warnings related to dmem_cgroup functions
- Implement kernel tracing on page_counter_uncharge and dmem_cgroup_uncharge functions
- Deploy kernel debugging tools to track slab allocation patterns in production environments
Monitoring Recommendations
- Configure centralized logging to capture kernel messages from /dev/kmsg or dmesg output
- Set up alerts for KASAN reports and memory sanitizer violations in kernel logs
- Monitor system stability metrics for unexpected crashes during cgroup operations
- Track module loading events with auditd to identify potential exploitation attempts
How to Mitigate CVE-2026-23195
Immediate Actions Required
- Apply the kernel patches referenced in the kernel git commits
- Update to a patched Linux kernel version containing the reference counting fix
- Restrict kernel module loading capabilities to trusted administrators only
- Consider disabling dmem cgroup functionality if not required in your environment
Patch Information
The vulnerability has been resolved in the Linux kernel through the addition of a reference counter to each dmem pool structure. This ensures that pools are only freed when their reference count drops to zero, preventing the UAF condition. The fix is available in the following commits:
- Commit 99a2ef5 - Primary fix implementing pool reference counting
- Commit d3081353 - Additional stability improvements
Workarounds
- Limit access to kernel module loading using Linux Security Modules (LSM) like AppArmor or SELinux
- Avoid unregistering dmem memory regions while operations are in progress
- Use cgroup v2 with careful lifecycle management to minimize exposure
- Deploy kernel live patching solutions if available for your distribution
# Check current kernel version and verify patch status
uname -r
# Verify if cgroup dmem is in use
cat /proc/cgroups | grep -i dmem
# Restrict module loading via sysctl (temporary mitigation)
sysctl -w kernel.modules_disabled=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
