CVE-2026-43178: Linux Kernel Use-After-Free Vulnerability

CVE-2026-43178 Overview

CVE-2026-43178 is a Linux kernel vulnerability in the procfs subsystem. The flaw resides in the do_procmap_query() function and can lead to a double mmput() call on an mm_struct. The condition triggers when a user supplies an incorrectly sized buffer for the build ID during a PROCMAP_QUERY ioctl request. Recent refactoring moved the -ENAMETOOLONG error path to execute after mmap_lock/per-VMA lock release and after mmput(), making the original goto out label decrement the reference count a second time. The upstream fix redirects the error path to skip the redundant cleanup and only release vm_file and name_buf.

Critical Impact

A double mmput() on mm_struct can corrupt reference counting in the kernel memory descriptor, potentially leading to use-after-free conditions or denial of service.

Affected Products

• Linux kernel versions containing the affected do_procmap_query() implementation in fs/proc/task_mmu.c
• Linux distributions shipping kernels prior to the stable patches referenced below
• Systems exposing /proc/<pid>/mapsPROCMAP_QUERY ioctl to local users

Discovery Timeline

• 2026-05-06 - CVE-2026-43178 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-43178

Vulnerability Analysis

The vulnerability is a double-free pattern affecting the kernel mm_struct reference count. The do_procmap_query() function services the PROCMAP_QUERY ioctl on /proc/<pid>/maps, allowing user space to query virtual memory area (VMA) information including build IDs of mapped binaries. When user space passes a build ID buffer with an unsupported size, the kernel returns -ENAMETOOLONG. After recent code changes, this size validation now occurs later in the function flow, after the kernel has already released mmap_lock (or the per-VMA lock) and has already called mmput() to drop its reference on the target mm_struct. The original goto out label still performs a second mmput() during cleanup, decrementing the reference count one extra time.

Root Cause

The root cause is an incorrect error-handling label following a refactor of lock and reference acquisition order in do_procmap_query(). The error path for the build ID buffer size check assumes mmap_lock is still held and mm_struct still has the function's reference, but neither holds true at that point in the control flow. Jumping to out therefore triggers an unbalanced mmput().

Attack Vector

A local unprivileged user can invoke the PROCMAP_QUERY ioctl on a procfs maps file with a deliberately malformed build ID buffer size to drive the function into the buggy error path. Because mm_struct is a foundational kernel object referenced by the scheduler, file descriptors, and memory subsystems, prematurely dropping its reference count can free it while other kernel paths still hold pointers to it. This exposes the kernel to use-after-free conditions in addition to immediate kernel panics or denial of service.

No verified public exploitation code is available. Refer to the upstream commits for the complete patch context: Kernel Git Commit 61dc9f77, Kernel Git Commit 8adaff87, Kernel Git Commit 90f5e87c, and Kernel Git Commit f9fe0920.

Detection Methods for CVE-2026-43178

Indicators of Compromise

• Unexpected kernel oops or panic messages referencing mmput, __mmput, or do_procmap_query in dmesg or /var/log/kern.log
• KASAN reports flagging use-after-free on mm_struct allocations when running KASAN-enabled kernels
• Repeated ioctl calls against /proc/<pid>/maps returning -ENAMETOOLONG from non-administrative processes

Detection Strategies

• Audit ioctl syscalls targeting procfs maps files using auditd rules and correlate with the calling process and user identity
• Monitor kernel ring buffer output for reference counting anomalies and unexpected mm_struct teardown messages
• Review installed kernel package versions across the fleet and flag hosts running vulnerable builds prior to the upstream fix

Monitoring Recommendations

• Enable KASAN and CONFIG_DEBUG_KMEMLEAK in test environments to surface reference counting regressions early
• Forward kernel logs to a centralized logging platform and alert on panic, oops, and BUG signatures
• Track unprivileged process activity that opens /proc/*/maps followed by ioctl invocations as a baseline anomaly

How to Mitigate CVE-2026-43178

Immediate Actions Required

• Apply the upstream stable kernel update containing the fix and reboot affected systems
• Inventory all Linux hosts and prioritize multi-tenant systems where untrusted local users have shell access
• Restrict access to interactive shells and unprivileged code execution on shared infrastructure until patching completes

Patch Information

The issue is fixed in the Linux stable trees by the commits referenced in the NVD entry. The patch redirects the -ENAMETOOLONG error path to a label that cleans up only vm_file and name_buf, avoiding the duplicate mmput() call. Apply the kernel package provided by your distribution that incorporates Kernel Git Commit 61dc9f77, Kernel Git Commit 8adaff87, Kernel Git Commit 90f5e87c, or Kernel Git Commit f9fe0920.

Workarounds

• Limit local user access on multi-tenant Linux systems until the patch is deployed
• Use seccomp or LSM policies to constrain ioctl calls against procfs from untrusted processes
• Apply mandatory access controls such as SELinux or AppArmor to reduce reachable attack surface against /proc/<pid>/maps

# Verify the running kernel and confirm the patch is present
uname -r
rpm -q --changelog kernel | grep -i procmap_query   # RHEL/derivatives
dpkg -s linux-image-$(uname -r) | grep -i version    # Debian/Ubuntu