CVE-2026-23161
Published: 14 February 2026
Summary
CVE-2026-23161 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-23161 is a race condition vulnerability in the Linux kernel's memory management subsystems, specifically affecting the mm/shmem and swap components. The issue arises in the shmem swap freeing helper, which fails to correctly handle the order of swap entries. It retrieves the entry order using xa_get_order without lock protection, potentially obtaining an outdated value if the entry is split or modified before the subsequent xa_cmpxchg_irq operation. This can allow the order to exceed expected bounds, leading to truncation that erases data beyond the file's end boundary.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation may result in limited confidentiality impact, high integrity impact through data corruption or improper truncation, and high availability impact, such as kernel panics or hangs during operations like swapoff. The CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H) reflects these characteristics, tied to CWE-362 (concurrent execution using shared resource with improper synchronization).
Mitigation is provided through kernel patches available in stable releases, as detailed in the referenced commits: https://git.kernel.org/stable/c/8a1968bd997f45a9b11aefeabdd1232e1b6c7184, https://git.kernel.org/stable/c/a99f9a4669a04662c8f9efe0e62cafc598153139, and https://git.kernel.org/stable/c/b23bee8cdb7aabce5701a7f57414db5a354ae8ed. These patches open-code the Xarray cmpxchg operation to ensure order retrieval and value checking occur within the same critical section, while also skipping large swap entries that cross the end boundary to prevent over-truncation. The fix resolved observed swapoff hangs and kernel panics during stress testing of ZSWAP with shmem.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5877
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of truncate and swap entry split The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase…
more
the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and it may get an outdated order value if the entry is split or changed in other ways after the xa_get_order and before the xa_cmpxchg_irq. And besides, the order could grow and be larger than expected, and cause truncation to erase data beyond the end border. For example, if the target entry and following entries are swapped in or freed, then a large folio was added in place and swapped out, using the same entry, the xa_cmpxchg_irq will still succeed, it's very unlikely to happen though. To fix that, open code the Xarray cmpxchg and put the order retrieval and value checking in the same critical section. Also, ensure the order won't exceed the end border, skip it if the entry goes across the border. Skipping large swap entries crosses the end border is safe here. Shmem truncate iterates the range twice, in the first iteration, find_lock_entries already filtered such entries, and shmem will swapin the entries that cross the end border and partially truncate the folio (split the folio or at least zero part of it). So in the second loop here, if we see a swap entry that crosses the end order, it must at least have its content erased already. I observed random swapoff hangs and kernel panics when stress testing ZSWAP with shmem. After applying this patch, all problems are gone.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition with high integrity/availability impact enables exploitation for privilege escalation or system compromise from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely application of the kernel patches that fix the unprotected xa_get_order/xa_cmpxchg_irq race in shmem swap freeing.
Memory protection mechanisms can block or contain the data corruption and out-of-bounds truncation that result when the swap-entry order check is performed outside the critical section.
Process isolation limits the blast radius of a local race-condition exploit in the shmem/swap code to the affected process or cgroup.