Cyber Resilience

CVE-2026-23415

High

Published: 02 April 2026

Published
02 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23415 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23415 is a use-after-free vulnerability in the Linux kernel's futex subsystem. The issue arises from a race condition between futex_key_to_node_opt(), which reads vma->vm_policy under the speculative mmap lock and RCU, and concurrent execution of mbind() that invokes vma_replace_policy(). This frees the old mempolicy immediately via kmem_cache_free(), allowing __futex_key_to_node() to dereference the freed mempolicy pointer and read mpol->mode, as evidenced by a KASAN-reported slab-use-after-free at kernel/futex/core.c:349.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation leads to a use-after-free read, enabling high impacts on confidentiality, integrity, and availability, per its CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association with CWE-416.

Kernel patches mitigate the issue by adding RCU handling to __mpol_put() to prevent the immediate free during the race. Relevant stable commits include 190a8c48ff623c3d67cb295b4536a660db2012aa, 7e196194ea27bd49adf3551e2aceb83498eb73fe, and 853f70c67d1b37e368fdcb3e328c4b8c04f53ac0, available via git.kernel.org.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately…

more

via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in futex enables direct privilege escalation from low-priv userland to full system compromise (C/I/A high).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.16, 7.0 · 6.16.1 — 6.18.21 · 6.19 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of kernel flaws like this use-after-free in the futex subsystem to eliminate the race condition.

detect

Mandates vulnerability scanning to identify and prioritize remediation of kernel CVEs such as CVE-2026-23415.

prevent

Implements memory protection mechanisms that can mitigate exploitation of use-after-free vulnerabilities in kernel memory management.

References