Cyber Resilience

CVE-2026-23225

High

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23225 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23225 is a vulnerability in the Linux kernel's scheduler MMCID management code, specifically related to incorrect assumptions about CID ownership during mode switches between per-CPU and per-task modes. The issue manifests as an out-of-bounds access, initially reported as a KASAN use-after-free (UAF), triggered by a race condition involving task exits and mode transitions across CPUs. For example, one CPU sets the MM_CID_TRANSIT bit on a task running on another CPU, and subsequent task exits lead to improper handling in sched_mm_cid_exit() and mm_drop_cid_on_cpu(), causing clear_bit() to be invoked with an invalid bit number.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements, as indicated by the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires concurrent task scheduling and exits across CPUs, such as forking a task, switching to per-CPU CID mode, and then having multiple tasks exit while another task on a different CPU exits without rescheduling. Successful exploitation can result in high impacts on confidentiality, integrity, and availability through the out-of-bounds memory access.

The provided kernel patch references detail the mitigation: validate that the CID is actually CPU-owned (ONCPU bit set) before invoking mm_drop_cid_on_cpu(), preventing the invalid clear_bit() operation during TRANSIT mode. The fixes are available in stable kernel commits at https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39 and https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476. Security practitioners should ensure affected Linux kernels are updated to incorporate these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1…

more

T1 runs in userspace T0: fork(T4) -> Switch to per CPU CID mode fixup() set MM_CID_TRANSIT on T1/CPU1 T4 exit() T3 exit() T2 exit() T1 exit() switch to per task mode ---> Out of bounds access. As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in the task and drops the CID, but it does not touch the per CPU storage. That's functionally correct because a CID is only owned by the CPU when the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag. Now sched_mm_cid_exit() assumes that the CID is CPU owned because the prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the not set ONCPU bit and then invokes clear_bit() with an insanely large bit number because TRANSIT is set (bit 29). Prevent that by actually validating that the CID is CPU owned in mm_drop_cid_on_cpu().

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel memory corruption (UAF/OOB via scheduler race) directly enables privilege escalation from low-privileged user context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Kernel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely remediation of the specific Linux kernel flaw in MMCID management via patching to eliminate the race condition and out-of-bounds access during CID mode switches.

prevent

Implements memory protection mechanisms such as KASLR and supervisor protections that mitigate exploitation of the out-of-bounds access resulting from incorrect CID ownership assumptions.

detect

Enables vulnerability scanning to identify systems affected by CVE-2026-23225 based on kernel versions prior to the referenced stable commits.

References