{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23432", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.016Z", "datePublished": "2026-04-03T15:15:18.061Z", "dateUpdated": "2026-04-03T15:15:18.061Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:18.061Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix use-after-free in mshv_map_user_memory error path\n\nIn the error path of mshv_map_user_memory(), calling vfree() directly on\nthe region leaves the MMU notifier registered. When userspace later unmaps\nthe memory, the notifier fires and accesses the freed region, causing a\nuse-after-free and potential kernel panic.\n\nReplace vfree() with mshv_partition_put() to properly unregister\nthe MMU notifier before freeing the region."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hv/mshv_root_main.c"], "versions": [{"version": "b9a66cd5ccbb9fade15d0e427e19470d8ad35b75", "lessThan": "34861bdc0c0196b6c2dd48f7454029407704ff6e", "status": "affected", "versionType": "git"}, {"version": "b9a66cd5ccbb9fade15d0e427e19470d8ad35b75", "lessThan": "6922db250422a0dfee34de322f86b7a73d713d33", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hv/mshv_root_main.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/34861bdc0c0196b6c2dd48f7454029407704ff6e"}, {"url": "https://git.kernel.org/stable/c/6922db250422a0dfee34de322f86b7a73d713d33"}], "title": "mshv: Fix use-after-free in mshv_map_user_memory error path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix use-after-free in mshv_map_user_memory error path\n\nIn the error path of mshv_map_user_memory(), calling vfree() directly on\nthe region leaves the MMU notifier registered. When userspace later unmaps\nthe memory, the notifier fires and accesses the freed region, causing a\nuse-after-free and potential kernel panic.\n\nReplace vfree() with mshv_partition_put() to properly unregister\nthe MMU notifier before freeing the region."}], "id": "CVE-2026-23432", "lastModified": "2026-04-03T16:16:24.637", "metrics": {}, "published": "2026-04-03T16:16:24.637", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/34861bdc0c0196b6c2dd48f7454029407704ff6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6922db250422a0dfee34de322f86b7a73d713d33"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b9a66cd5ccbb9fade15d0e427e19470d8ad35b75,34861bdc0c0196b6c2dd48f7454029407704ff6e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b9a66cd5ccbb9fade15d0e427e19470d8ad35b75,6922db250422a0dfee34de322f86b7a73d713d33)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:27:55.438486+00:00", "value": {"mitigation_remediation": ["Install a Linux kernel version that includes the patch replacing vfree() with mshv_partition_put() in the mshv_map_user_memory error path"], "summary": {"action": "Apply Patch", "impact": "Kernel Panic / Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected component is the Linux kernel itself; the vendor is Linux. No specific patch level ranges are disclosed in the advisory, but the patched commit is included in recent kernel releases. All users of the kernel must verify whether the kasan/mshv_map_user_memory path is present and whether the kernel has been updated to the fixed version.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free in the hypervisor memory mapping routine of the Linux kernel. When an error occurs during user memory mapping, the code frees a memory region without first unregistering the MMU notifier. If user space later unmaps that memory, the notifier handler runs on the freed region, leading to a crash of the kernel. The immediate consequence is a system\u2011wide denial of service via a kernel panic. \"Use\u2011After\u2011Free\" is a classic memory corruption weakness that can, in some contexts, also allow an attacker to manipulate kernel state, though no direct privilege\u2011escalation exploit is documented for this defect.", "risk_and_exploitability": "The CVSS score is not provided, but the failure leads directly to a kernel crash, which is a severe impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector would require the attacker to invoke the hypervisor user memory mapping routine, which typically is a privileged operation. Therefore, the exploitability is considered moderate to low in a typical production system without a malicious hypervisor, yet the consequence of a single crash is high. The risk is heightened for environments where a hypervisor is exposed to untrusted code."}}}}, "created": "2026-04-03T21:14:05.991245+00:00", "updated": "2026-04-03T21:16:19.591812+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}