{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23380", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.007Z", "datePublished": "2026-03-25T10:27:59.682Z", "dateUpdated": "2026-03-25T10:27:59.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:59.682Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/ring_buffer.h", "kernel/trace/ring_buffer.c", "kernel/trace/trace.c"], "versions": [{"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "91f3e8d84c89918769e71393f839c9fefadc2580", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "cdd96641b64297a2db42676f051362b76280a58b", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/ring_buffer.h", "kernel/trace/ring_buffer.c", "kernel/trace/trace.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580"}, {"url": "https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b"}, {"url": "https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0"}, {"url": "https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e"}], "title": "tracing: Fix WARN_ON in tracing_buffers_mmap_close", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback."}], "id": "CVE-2026-23380", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:38.017", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tracing: Fix WARN_ON in tracing_buffers_mmap_close", "id": "2451266", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451266"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel. A local user could exploit an issue in the tracing buffer's memory management when a process forks. If an application uses `madvise(MADVISE_DOFORK)`, it can cause the `tracing_buffers_mmap_close()` function to be called multiple times, leading to a system warning and potentially a denial of service."], "name": "CVE-2026-23380", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23380\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23380\nhttps://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23380-9e3c@gregkh/T"], "statement": "This flaw affects tracing buffer mmap usage with fork(). When MADVISE_DOFORK overrides VM_DONTCOPY, the user_mapped refcount isn't incremented for child VMAs, causing double-close on both processes exiting. This triggers a WARN_ON but doesn't cause memory corruption. Requires specific madvise() usage with tracing mmap.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,91f3e8d84c89918769e71393f839c9fefadc2580)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,cdd96641b64297a2db42676f051362b76280a58b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T04:46:10.968133+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that includes the tracing buffer reference\u2011counting patch.", "Verify that no production systems are running unpatched kernels.", "If the kernel must remain unchanged, avoid using madvise(DOFORK) on memory\u2011mapped tracing buffers until a patch is applied.", "Monitor system logs for WARN_ON messages related to tracing_buffers_mmap_close as an indicator of the issue."], "summary": {"action": "Apply Patch", "impact": "Kernel Warning and Incorrect Reference Count"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that contain the tracing_buffers_mmap_close code path and have not yet incorporated the reference\u2011counting fix are affected. The vulnerability exists in any unpatched kernel version released before the specific commit that increments the user_mapped counter; no exact release numbers are listed, so any system running an older kernel is potentially vulnerable.", "description_and_impact": "When a traced process forks, the child inherits the parent\u2019s memory\u2011mapped tracing buffer but the reference counter that tracks user\u2011mapped pages is not increased. The close routine then runs twice; on the second invocation the counter is already zero, resulting in a -ENODEV return and a WARN_ON being triggered. Normally the buffer is marked VM_DONTCOPY, which prevents this code path, but an application that calls madvise(DADVISE_DOFORK) clears that flag and makes the problem reproducible. The flaw produces a spurious kernel warning and a non\u2011critical error code but does not corrupt data or compromise confidentiality, integrity, or availability.", "risk_and_exploitability": "The CVSS score of 3.3 indicates low severity, and the EPSS probability of less than 1\u202f% shows a very low likelihood of exploitation. The issue is not present in the CISA KEV catalog. An attacker would need local access to run a user process that maps a tracing buffer, invokes madvise(DOFORK), then forks and terminates both parent and child. The consequence of exploitation is limited to a kernel warning and an error return, providing negligible threat to confidentiality, integrity, or availability."}}}}, "created": "2026-03-25T21:31:35.853329+00:00", "updated": "2026-03-26T12:15:39.882368+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}