Linux Kernel up to 7.0-rc2 EFI Boot Service efi_free_boot_services initialization

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
5.5$0-$5k0.00

Summaryinfo

A vulnerability was found in Linux Kernel up to 7.0-rc2. It has been rated as critical. This impacts the function efi_free_boot_services of the component EFI Boot Service. The manipulation leads to initialization. This vulnerability is uniquely identified as CVE-2026-23352. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Linux Kernel up to 7.0-rc2. It has been rated as critical. This issue affects the function efi_free_boot_services of the component EFI Boot Service. The manipulation with an unknown input leads to a initialization vulnerability. Using CWE to declare the problem leads to CWE-665. The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. Impacted is availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late(). There are two issue with that: memblock_free_late() should be used for memory allocated with memblock_alloc() while the memory reserved with memblock_reserve() should be freed with free_reserved_area(). More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y efi_free_boot_services() is called before deferred initialization of the memory map is complete. Benjamin Herrenschmidt reports that this causes a leak of ~140MB of RAM on EC2 t3a.nano instances which only have 512MB or RAM. If the freed memory resides in the areas that memory map for them is still uninitialized, they won't be actually freed because memblock_free_late() calls memblock_free_pages() and the latter skips uninitialized pages. Using free_reserved_area() at this point is also problematic because __free_page() accesses the buddy of the freed page and that again might end up in uninitialized part of the memory map. Delaying the entire efi_free_boot_services() could be problematic because in addition to freeing boot services memory it updates efi.memmap without any synchronization and that's undesirable late in boot when there is concurrency. More robust approach is to only defer freeing of the EFI boot services memory. Split efi_free_boot_services() in two. First efi_unmap_boot_services() collects ranges that should be freed into an array then efi_free_boot_services() later frees them after deferred init is complete.

It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2026-23352 since 01/13/2026. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7 or 7.0-rc3 eliminates this vulnerability. Applying the patch 4a2cb90c538f06c873a187aa743575d48685d7a6/227688312fece0026fc67a00ba9a0b3611ebe95d/6a25e25279282c5c8ade554c04c6ab9dc7902c64/399da820ecfe6f4f10c143e5c453d3559a04db9c/f9e9cc320854a76a39e7bc92d144554f3a727fad/7dcf59422a3b0d20ddda844f856b4a1e0608a326/a4b0bf6a40f3c107c67a24fbc614510ef5719980 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

Vendor

Name

Version

License

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 5.7
VulDB Meta Temp Score: 5.5

VulDB Base Score: 5.7
VulDB Temp Score: 5.5
VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍

Exploitinginfo

Class: Initialization
CWE: CWE-665
CAPEC: 🔒
ATT&CK: 🔒

Physical: No
Local: No
Remote: Partially

Availability: 🔒
Status: Not defined

EPSS Score: 🔒
EPSS Percentile: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔒

Upgrade: Kernel 6.1.167/6.6.130/6.12.77/6.18.17/6.19.7/7.0-rc3
Patch: 4a2cb90c538f06c873a187aa743575d48685d7a6/227688312fece0026fc67a00ba9a0b3611ebe95d/6a25e25279282c5c8ade554c04c6ab9dc7902c64/399da820ecfe6f4f10c143e5c453d3559a04db9c/f9e9cc320854a76a39e7bc92d144554f3a727fad/7dcf59422a3b0d20ddda844f856b4a1e0608a326/a4b0bf6a40f3c107c67a24fbc614510ef5719980

Timelineinfo

01/13/2026 CVE reserved
03/25/2026 +71 days Advisory disclosed
03/25/2026 +0 days VulDB entry created
03/30/2026 +5 days VulDB entry last update

Sourcesinfo

Vendor: kernel.org

Advisory: git.kernel.org
Status: Confirmed

CVE: CVE-2026-23352 (🔒)
GCVE (CVE): GCVE-0-2026-23352
GCVE (VulDB): GCVE-100-353087

Entryinfo

Created: 03/25/2026 13:29
Updated: 03/30/2026 10:38
Changes: 03/25/2026 13:29 (59), 03/30/2026 10:38 (1)
Complete: 🔍
Cache ID: 216:810:103

Be aware that VulDB is the high quality source for vulnerability data.

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!