CVE-2026-23161
Published: 14 February 2026
Summary
CVE-2026-23161 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.
Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition with high integrity/availability impact enables exploitation for privilege escalation or system compromise from low-privileged context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of truncate and swap entry split The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase…
more
the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and it may get an outdated order value if the entry is split or changed in other ways after the xa_get_order and before the xa_cmpxchg_irq. And besides, the order could grow and be larger than expected, and cause truncation to erase data beyond the end border. For example, if the target entry and following entries are swapped in or freed, then a large folio was added in place and swapped out, using the same entry, the xa_cmpxchg_irq will still succeed, it's very unlikely to happen though. To fix that, open code the Xarray cmpxchg and put the order retrieval and value checking in the same critical section. Also, ensure the order won't exceed the end border, skip it if the entry goes across the border. Skipping large swap entries crosses the end border is safe here. Shmem truncate iterates the range twice, in the first iteration, find_lock_entries already filtered such entries, and shmem will swapin the entries that cross the end border and partially truncate the folio (split the folio or at least zero part of it). So in the second loop here, if we see a swap entry that crosses the end order, it must at least have its content erased already. I observed random swapoff hangs and kernel panics when stress testing ZSWAP with shmem. After applying this patch, all problems are gone.
Deeper analysisAI
CVE-2026-23161 is a race condition vulnerability in the Linux kernel's memory management subsystems, specifically affecting the mm/shmem and swap components. The issue arises in the shmem swap freeing helper, which fails to correctly handle the order of swap entries. It retrieves the entry order using xa_get_order without lock protection, potentially obtaining an outdated value if the entry is split or modified before the subsequent xa_cmpxchg_irq operation. This can allow the order to exceed expected bounds, leading to truncation that erases data beyond the file's end boundary.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation may result in limited confidentiality impact, high integrity impact through data corruption or improper truncation, and high availability impact, such as kernel panics or hangs during operations like swapoff. The CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H) reflects these characteristics, tied to CWE-362 (concurrent execution using shared resource with improper synchronization).
Mitigation is provided through kernel patches available in stable releases, as detailed in the referenced commits: https://git.kernel.org/stable/c/8a1968bd997f45a9b11aefeabdd1232e1b6c7184, https://git.kernel.org/stable/c/a99f9a4669a04662c8f9efe0e62cafc598153139, and https://git.kernel.org/stable/c/b23bee8cdb7aabce5701a7f57414db5a354ae8ed. These patches open-code the Xarray cmpxchg operation to ensure order retrieval and value checking occur within the same critical section, while also skipping large swap entries that cross the end boundary to prevent over-truncation. The fix resolved observed swapoff hangs and kernel panics during stress testing of ZSWAP with shmem.
Details
- CWE(s)