CVE-2026-23352: Linux Kernel Privilege Escalation Flaw

CVE-2026-23352 Overview

A memory management vulnerability has been identified in the Linux kernel's x86 EFI (Extensible Firmware Interface) subsystem. The vulnerability exists in the efi_free_boot_services() function, which improperly frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA regions using memblock_free_late(). This leads to significant memory leaks, particularly on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y enabled.

Critical Impact

This vulnerability causes memory leaks of approximately 140MB on systems with limited RAM (e.g., EC2 t3a.nano instances with 512MB), significantly impacting system performance and stability on memory-constrained environments.

Affected Products

• Linux kernel (x86 architecture with EFI boot support)
• Systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y configuration
• Cloud instances and embedded systems with limited RAM

Discovery Timeline

• 2026-03-25 - CVE CVE-2026-23352 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-23352

Vulnerability Analysis

The vulnerability stems from improper memory deallocation practices in the Linux kernel's EFI boot services handling. The efi_free_boot_services() function uses memblock_free_late() to free boot services memory, but this approach has two fundamental problems.

First, memblock_free_late() is designed for memory allocated with memblock_alloc(), while the EFI boot services memory is reserved using memblock_reserve() and should be freed with free_reserved_area() instead.

Second, and more critically, when deferred struct page initialization is enabled (CONFIG_DEFERRED_STRUCT_PAGE_INIT=y), the efi_free_boot_services() function is called before the deferred memory map initialization completes. This timing issue means that when memblock_free_late() calls memblock_free_pages(), any pages residing in still-uninitialized memory map regions are silently skipped rather than properly freed.

Benjamin Herrenschmidt reported this issue after observing approximately 140MB of RAM being leaked on Amazon EC2 t3a.nano instances, which is particularly significant given these instances only have 512MB of total RAM.

Root Cause

The root cause is twofold: incorrect API usage for freeing reserved memory regions and a race condition between EFI boot services memory cleanup and deferred memory map initialization. The memblock_free_late() function skips uninitialized pages, and using free_reserved_area() at this early stage would also be problematic because __free_page() accesses the buddy of the freed page, which might also reside in uninitialized memory map regions.

Attack Vector

This is a kernel-level memory management bug rather than a remotely exploitable security vulnerability. The impact is primarily availability-related, causing significant memory waste on affected systems. The vulnerability is triggered automatically during the boot process on systems with EFI boot and deferred struct page initialization enabled.

While not directly exploitable for code execution, the memory leak could be leveraged as part of a resource exhaustion attack chain, particularly on memory-constrained cloud instances or embedded systems where the ~140MB leak represents a significant portion of available system memory.

Detection Methods for CVE-2026-23352

Indicators of Compromise

• Unexplained memory usage reduction of approximately 140MB on EFI-booted Linux systems
• Discrepancy between expected and available RAM reported by system tools
• Boot-time memory allocation warnings in kernel logs related to EFI regions

Detection Strategies

• Monitor available memory at boot time and compare against expected values based on hardware specifications
• Check kernel configuration for CONFIG_DEFERRED_STRUCT_PAGE_INIT=y on affected systems
• Review dmesg output for EFI memory map entries and compare against actual freed memory

Monitoring Recommendations

• Implement baseline monitoring for available RAM on cloud instances, particularly memory-constrained configurations
• Configure alerts for significant deviations from expected memory availability post-boot
• Track EFI memory regions through /sys/firmware/efi/ entries and correlate with system memory reports

How to Mitigate CVE-2026-23352

Immediate Actions Required

• Apply the kernel patches that split efi_free_boot_services() into efi_unmap_boot_services() and a deferred efi_free_boot_services()
• On memory-constrained systems, consider disabling CONFIG_DEFERRED_STRUCT_PAGE_INIT as a temporary workaround until patching is possible
• Prioritize patching on cloud instances and systems with 1GB or less of RAM where the leak has proportionally greater impact

Patch Information

The fix involves splitting the efi_free_boot_services() function into two parts. The new efi_unmap_boot_services() function collects the memory ranges that should be freed into an array, while efi_free_boot_services() is deferred to run after deferred struct page initialization completes. This ensures proper memory deallocation without synchronization issues.

Multiple kernel commits address this vulnerability:

• Kernel Commit 22768831
• Kernel Commit 399da820
• Kernel Commit 4a2cb90c
• Kernel Commit 6a25e252
• Kernel Commit 7dcf5942
• Kernel Commit a4b0bf6a
• Kernel Commit f9e9cc32

Workarounds

• Disable deferred struct page initialization by rebuilding the kernel without CONFIG_DEFERRED_STRUCT_PAGE_INIT
• For cloud deployments, consider using instance types with additional RAM headroom until patches can be applied
• On systems where patching is delayed, monitor for memory exhaustion conditions and implement automated restarts if memory falls below critical thresholds

# Check if your kernel has deferred struct page init enabled
zcat /proc/config.gz | grep CONFIG_DEFERRED_STRUCT_PAGE_INIT

# Verify current EFI memory map status
dmesg | grep -i "efi:" | head -20

# Monitor available memory for potential leak impact
free -m && cat /proc/meminfo | grep -E "(MemTotal|MemFree|MemAvailable)"