CVE-2026-23432
Published: 03 April 2026
Summary
CVE-2026-23432 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-23432 is a use-after-free vulnerability in the Linux kernel's mshv component, specifically in the error path of the mshv_map_user_memory() function. When an error occurs during memory mapping, the code calls vfree() directly on the allocated region without unregistering the associated MMU notifier. This leaves the notifier registered, allowing subsequent userspace unmapping to trigger the notifier, which then accesses the already-freed memory region. The issue is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the error path in mshv_map_user_memory(), such as through operations involving user memory mapping in a Microsoft Hyper-V guest environment on Linux. Successful exploitation leads to a use-after-free condition, potentially resulting in kernel panic or more severe impacts like arbitrary code execution, data corruption, or denial of service, given the high confidentiality, integrity, and availability impacts indicated by the CVSS score.
The provided kernel patch references detail the mitigation: replace the direct vfree() call with mshv_partition_put() to properly unregister the MMU notifier before freeing the region. Security practitioners should apply the stable kernel commits at https://git.kernel.org/stable/c/34861bdc0c0196b6c2dd48f7454029407704ff6e and https://git.kernel.org/stable/c/6922db250422a0dfee34de322f86b7a73d713d33 to affected Linux kernel versions supporting the mshv driver.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18669
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mshv: Fix use-after-free in mshv_map_user_memory error path In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory,…
more
the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic. Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in mshv enables direct exploitation for privilege escalation to arbitrary code execution or DoS in the Linux kernel.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely flaw remediation by applying kernel patches that fix the use-after-free in mshv_map_user_memory error path.
Implements memory protections such as ASLR and guard pages that hinder exploitation of the use-after-free vulnerability in the kernel's mshv component.
Requires secure error handling to prevent improper cleanup in error paths like mshv_map_user_memory that leads to notifier access of freed memory.