mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node

Summary

CVE	CVE-2026-43292
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-08 14:16:36 UTC
Updated	2026-05-14 21:04:41 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.047270000 (date 2026-05-12)

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 282631cb2447318e2a55b41a665dbe8571c46d70 2efa9c02c9b4c0d6866aa445f11056809b25ca28 git	Not specified
CNA	Linux	Linux	affected 282631cb2447318e2a55b41a665dbe8571c46d70 1afe45f89d54b7183768ebbbbf14238ec187ab5c git	Not specified
CNA	Linux	Linux	affected 282631cb2447318e2a55b41a665dbe8571c46d70 b351fbe71091f7c8676c8ba597653d08b6719447 git	Not specified
CNA	Linux	Linux	affected 282631cb2447318e2a55b41a665dbe8571c46d70 5747435e0fd474c24530ef1a6822f47e7d264b27 git	Not specified
CNA	Linux	Linux	affected 6.9	Not specified
CNA	Linux	Linux	unaffected 6.9 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.75 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.16 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.6 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b351fbe71091f7c8676c8ba597653d08b6719447	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/2efa9c02c9b4c0d6866aa445f11056809b25ca28	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/1afe45f89d54b7183768ebbbbf14238ec187ab5c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/5747435e0fd474c24530ef1a6822f47e7d264b27	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.