{"id":"CVE-2026-23225","summary":"sched/mmcid: Don't assume CID is CPU owned on mode switch","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/mmcid: Don't assume CID is CPU owned on mode switch\n\nShinichiro reported a KASAN UAF, which is actually an out of bounds access\nin the MMCID management code.\n\n   CPU0\t\t\t\t\t\tCPU1\n   \t\t\t\t\t\tT1 runs in userspace\n   T0: fork(T4) -\u003e Switch to per CPU CID mode\n         fixup() set MM_CID_TRANSIT on T1/CPU1\n   T4 exit()\n   T3 exit()\n   T2 exit()\n\t\t\t\t\t\tT1 exit() switch to per task mode\n\t\t\t\t\t\t ---\u003e Out of bounds access.\n\nAs T1 has not scheduled after T0 set the TRANSIT bit, it exits with the\nTRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in\nthe task and drops the CID, but it does not touch the per CPU storage.\nThat's functionally correct because a CID is only owned by the CPU when\nthe ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.\n\nNow sched_mm_cid_exit() assumes that the CID is CPU owned because the\nprior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the\nnot set ONCPU bit and then invokes clear_bit() with an insanely large\nbit number because TRANSIT is set (bit 29).\n\nPrevent that by actually validating that the CID is CPU owned in\nmm_drop_cid_on_cpu().","modified":"2026-04-02T13:12:16.974815Z","published":"2026-02-18T14:53:28.387Z","related":["openSUSE-SU-2026:10387-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23225.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23225.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23225"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"007d84287c7466ca68a5809b616338214dc5b77b"},{"fixed":"81f29975631db8a78651b3140ecd0f88ffafc476"},{"fixed":"1e83ccd5921a610ef409a7d4e56db27822b4ea39"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23225.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23225.json"}}],"schema_version":"1.7.5"}