CVE-2026-23161 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

mm/shmem, swap: fix race of truncate and swap entry split

The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and it may get an outdated order value if the entry is split or changed in other ways after the xa_get_order and before the xa_cmpxchg_irq.

And besides, the order could grow and be larger than expected, and cause truncation to erase data beyond the end border. For example, if the target entry and following entries are swapped in or freed, then a large folio was added in place and swapped out, using the same entry, the xa_cmpxchg_irq will still succeed, it's very unlikely to happen though.

To fix that, open code the Xarray cmpxchg and put the order retrieval and value checking in the same critical section. Also, ensure the order won't exceed the end border, skip it if the entry goes across the border.

Skipping large swap entries crosses the end border is safe here. Shmem truncate iterates the range twice, in the first iteration, find_lock_entries already filtered such entries, and shmem will swapin the entries that cross the end border and partially truncate the folio (split the folio or at least zero part of it). So in the second loop here, if we see a swap entry that crosses the end order, it must at least have its content erased already.

I observed random swapoff hangs and kernel panics when stress testing ZSWAP with shmem. After applying this patch, all problems are gone.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/05/2026

This vulnerability exists within the Linux kernel's memory management subsystem, specifically affecting the shared memory (shmem) and swap functionality. The issue stems from a race condition that occurs during the interaction between memory truncation operations and swap entry splitting processes. The vulnerability is particularly significant because it can lead to system instability including kernel panics and random swapoff hangs, which directly impacts system reliability and availability. The problem manifests when the kernel attempts to free swap entries associated with shared memory objects, creating a scenario where concurrent operations can result in data corruption or system crashes. This vulnerability directly affects the integrity of memory management operations and can be exploited to cause denial of service conditions.

The technical flaw resides in the improper handling of entry ordering within the Xarray data structure used for managing swap entries. The kernel's implementation uses xa_cmpxchg_irq to remove swap entries while simultaneously retrieving entry order information through xa_get_order without proper locking mechanisms. This creates a window where the order value obtained may be stale or outdated if the swap entry has been modified between the order retrieval and the actual removal operation. The race condition becomes particularly problematic when entries are split or modified concurrently, leading to incorrect assumptions about entry boundaries and potentially causing the system to attempt truncation operations beyond valid memory limits. This flaw represents a classic concurrency issue where the order retrieval and modification operations are not atomic, violating fundamental principles of concurrent programming and data structure consistency.

The operational impact of this vulnerability extends beyond simple system crashes to encompass potential data loss and corruption scenarios within the shared memory subsystem. When stress testing environments with ZSWAP and shmem combinations, the vulnerability manifests as random hangs and kernel panics, indicating that the race condition can occur unpredictably under load conditions. The vulnerability's severity is compounded by its potential to affect memory management operations that are fundamental to system operation, including swap operations, memory allocation, and shared memory handling. Systems utilizing extensive shared memory and swap functionality are particularly vulnerable, as the race condition becomes more likely under concurrent access patterns and memory pressure conditions. The vulnerability essentially allows for improper memory boundary calculations that can lead to over-truncation of memory regions, potentially erasing valid data beyond intended boundaries.

The fix implemented addresses the core concurrency issue by open-coding the Xarray compare-and-swap operations to ensure that order retrieval and value checking occur within the same critical section. This approach eliminates the race condition by preventing the scenario where stale order information could lead to incorrect truncation boundaries. The solution also implements bounds checking to ensure that the order value does not exceed expected limits, effectively preventing truncation operations from extending beyond valid memory boundaries. Additionally, the patch handles cases where swap entries might cross the end border by safely skipping such entries during the truncation process, as the system already handles these scenarios through its dual-iteration approach in the shmem truncation logic. This mitigation strategy aligns with standard security practices for concurrent data structure operations and follows established patterns for preventing race conditions in kernel memory management. The fix has been validated through stress testing and demonstrates complete resolution of the reported swapoff hangs and kernel panic issues, confirming its effectiveness in addressing the underlying concurrency problem.

This vulnerability can be categorized under CWE-362, which specifically addresses race conditions in concurrent programming, and relates to ATT&CK technique T1499.001, which involves data manipulation through memory corruption. The issue demonstrates the critical importance of proper locking mechanisms and atomic operations in kernel-level memory management systems where concurrent access patterns can lead to severe system instability. The fix implements proper synchronization through critical section management, ensuring that all operations involving shared data structures maintain consistency and prevent unauthorized access patterns that could compromise system integrity. The resolution represents a standard approach to fixing race conditions in kernel memory subsystems and aligns with industry best practices for concurrent programming in operating system kernels.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00089

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!