{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23380", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.007Z", "datePublished": "2026-03-25T10:27:59.682Z", "dateUpdated": "2026-04-13T06:06:16.302Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:06:16.302Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/ring_buffer.h", "kernel/trace/ring_buffer.c", "kernel/trace/trace.c"], "versions": [{"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "91f3e8d84c89918769e71393f839c9fefadc2580", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "cdd96641b64297a2db42676f051362b76280a58b", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0", "status": "affected", "versionType": "git"}, {"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64", "lessThan": "e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/ring_buffer.h", "kernel/trace/ring_buffer.c", "kernel/trace/trace.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580"}, {"url": "https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b"}, {"url": "https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0"}, {"url": "https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e"}], "title": "tracing: Fix WARN_ON in tracing_buffers_mmap_close", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D9050EB-F18B-4690-99BF-CC9BF4595FF5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.10.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:*", "matchCriteriaId": "9EA80796-744E-45F5-8632-2AB4F7889FCD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntracing: Correcci\u00f3n de WARN_ON en tracing_buffers_mmap_close\n\nCuando un proceso hace fork, el proceso hijo copia los VMAs del padre pero el contador de referencias user_mapped no se incrementa. Como resultado, cuando tanto el proceso padre como el hijo terminan, tracing_buffers_mmap_close() se llama dos veces. En la segunda llamada, user_mapped ya es 0, lo que hace que la funci\u00f3n devuelva -ENODEV y active un WARN_ON.\n\nNormalmente, esto no es un problema ya que la memoria est\u00e1 mapeada con VM_DONTCOPY establecido. Pero esto es solo una sugerencia, y la aplicaci\u00f3n puede llamar a madvise(MADVISE_DOFORK) lo que restablece el flag VM_DONTCOPY. Cuando la aplicaci\u00f3n hace eso, puede activar este problema al hacer fork.\n\nSe soluciona incrementando el contador de referencias user_mapped sin remapear las p\u00e1ginas en la funci\u00f3n de callback 'open' del VMA."}], "id": "CVE-2026-23380", "lastModified": "2026-04-24T16:28:47.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:38.017", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/91f3e8d84c89918769e71393f839c9fefadc2580"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cdd96641b64297a2db42676f051362b76280a58b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tracing: Fix WARN_ON in tracing_buffers_mmap_close", "id": "2451266", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451266"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel. A local user could exploit an issue in the tracing buffer's memory management when a process forks. If an application uses `madvise(MADVISE_DOFORK)`, it can cause the `tracing_buffers_mmap_close()` function to be called multiple times, leading to a system warning and potentially a denial of service."], "name": "CVE-2026-23380", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23380\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23380\nhttps://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23380-9e3c@gregkh/T"], "statement": "This flaw affects tracing buffer mmap usage with fork(). When MADVISE_DOFORK overrides VM_DONTCOPY, the user_mapped refcount isn't incremented for child VMAs, causing double-close on both processes exiting. This triggers a WARN_ON but doesn't cause memory corruption. Requires specific madvise() usage with tracing mmap.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,91f3e8d84c89918769e71393f839c9fefadc2580)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,cdd96641b64297a2db42676f051362b76280a58b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64,e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:59:33.506789+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel patch that includes the fix for the double\u2011close warning.", "If your applications use madvise with MADVISE_DOFORK, evaluate whether this is necessary and remove it if not critical.", "Monitor kernel logs for occurrences of WARN_ON related to tracing buffers, and investigate any unexplained instances."], "summary": {"action": "Apply Patch", "impact": "Double close of tracing buffers on fork can trigger WARN_ON and return -ENODEV, but does not permit code execution."}, "threat_synthesis": {"affected_systems": "This issue is present in the Linux kernel across all versions affected by the tracking commit. The specific version range is not supplied in the advisory. Users running any recent Linux kernel should verify whether the fix is included.", "description_and_impact": "When a process is forked, the child inherits the parent's virtual memory areas, but the user\u2011mapped reference counter for tracing buffers is not increased. If both parent and child exit, the cleanup routine is invoked twice. On the second invocation the counter is already zero, causing a negative error return and a warning. The vulnerability does not lead to arbitrary code execution or privilege escalation; it simply results in a warning and a benign error code. It may, however, clutter logs or be abused for denial\u2011of\u2011service style sabotage, but no direct exploitation path is documented.", "risk_and_exploitability": "The CVSS score of 5.5 rates this as medium severity, and the EPSS probability is below 1\u202f%. It is not listed in the CISA KEV catalog and no exploits are known. The likely attack vector is local: a process with the ability to fork can trigger the double closure by using madvise(MADVISE_DOFORK) to clear the VM_DONTCOPY flag. Because no remote exploitation or privilege escalation is possible, the overall risk is considered medium but should still be observed if suspicious warning messages appear."}}}}, "created": "2026-03-25T21:31:35.853329+00:00", "updated": "2026-04-28T17:00:13.472745+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}