CVE-2026-23225
Published: 18 February 2026
Summary
CVE-2026-23225 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23225 is a vulnerability in the Linux kernel's scheduler MMCID management code, specifically related to incorrect assumptions about CID ownership during mode switches between per-CPU and per-task modes. The issue manifests as an out-of-bounds access, initially reported as a KASAN use-after-free (UAF), triggered by a race condition involving task exits and mode transitions across CPUs. For example, one CPU sets the MM_CID_TRANSIT bit on a task running on another CPU, and subsequent task exits lead to improper handling in sched_mm_cid_exit() and mm_drop_cid_on_cpu(), causing clear_bit() to be invoked with an invalid bit number.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements, as indicated by the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires concurrent task scheduling and exits across CPUs, such as forking a task, switching to per-CPU CID mode, and then having multiple tasks exit while another task on a different CPU exits without rescheduling. Successful exploitation can result in high impacts on confidentiality, integrity, and availability through the out-of-bounds memory access.
The provided kernel patch references detail the mitigation: validate that the CID is actually CPU-owned (ONCPU bit set) before invoking mm_drop_cid_on_cpu(), preventing the invalid clear_bit() operation during TRANSIT mode. The fixes are available in stable kernel commits at https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39 and https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476. Security practitioners should ensure affected Linux kernels are updated to incorporate these changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7676
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1…
more
T1 runs in userspace T0: fork(T4) -> Switch to per CPU CID mode fixup() set MM_CID_TRANSIT on T1/CPU1 T4 exit() T3 exit() T2 exit() T1 exit() switch to per task mode ---> Out of bounds access. As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in the task and drops the CID, but it does not touch the per CPU storage. That's functionally correct because a CID is only owned by the CPU when the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag. Now sched_mm_cid_exit() assumes that the CID is CPU owned because the prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the not set ONCPU bit and then invokes clear_bit() with an insanely large bit number because TRANSIT is set (bit 29). Prevent that by actually validating that the CID is CPU owned in mm_drop_cid_on_cpu().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption (UAF/OOB via scheduler race) directly enables privilege escalation from low-privileged user context.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the specific Linux kernel flaw in MMCID management via patching to eliminate the race condition and out-of-bounds access during CID mode switches.
Implements memory protection mechanisms such as KASLR and supervisor protections that mitigate exploitation of the out-of-bounds access resulting from incorrect CID ownership assumptions.
Enables vulnerability scanning to identify systems affected by CVE-2026-23225 based on kernel versions prior to the referenced stable commits.