CVE-2026-23415
Published: 02 April 2026
Summary
CVE-2026-23415 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23415 is a use-after-free vulnerability in the Linux kernel's futex subsystem. The issue arises from a race condition between futex_key_to_node_opt(), which reads vma->vm_policy under the speculative mmap lock and RCU, and concurrent execution of mbind() that invokes vma_replace_policy(). This frees the old mempolicy immediately via kmem_cache_free(), allowing __futex_key_to_node() to dereference the freed mempolicy pointer and read mpol->mode, as evidenced by a KASAN-reported slab-use-after-free at kernel/futex/core.c:349.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation leads to a use-after-free read, enabling high impacts on confidentiality, integrity, and availability, per its CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association with CWE-416.
Kernel patches mitigate the issue by adding RCU handling to __mpol_put() to prevent the immediate free during the race. Relevant stable commits include 190a8c48ff623c3d67cb295b4536a660db2012aa, 7e196194ea27bd49adf3551e2aceb83498eb73fe, and 853f70c67d1b37e368fdcb3e328c4b8c04f53ac0, available via git.kernel.org.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18196
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately…
more
via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.415969] Call Trace: [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593) Fix by adding rcu to __mpol_put().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in futex enables direct privilege escalation from low-priv userland to full system compromise (C/I/A high).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of kernel flaws like this use-after-free in the futex subsystem to eliminate the race condition.
Mandates vulnerability scanning to identify and prioritize remediation of kernel CVEs such as CVE-2026-23415.
Implements memory protection mechanisms that can mitigate exploitation of use-after-free vulnerabilities in kernel memory management.