CVE-2026-23380

MEDIUM

tracing: Fix WARN_ON in tracing_buffers_mmap_close

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON. Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork. Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.

Scores

CVSS v3 5.5
EPSS 0.0011
EPSS Percentile 1.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-617
Status published
Products (17)
linux/Kernel 6.10.0 - 6.12.77linux
linux/Kernel 6.13.0 - 6.18.17linux
linux/Kernel 6.19.0 - 6.19.7linux
Linux/Linux < 6.10
Linux/Linux 6.10
Linux/Linux 6.12.77 - 6.12.*
Linux/Linux 6.18.17 - 6.18.*
Linux/Linux 6.19.7 - 6.19.*
Linux/Linux 7.0
Linux/Linux 7.0-rc3
... and 7 more
Published Mar 25, 2026
Tracked Since Mar 25, 2026