{"api_version":"1","generated_at":"2026-06-20T18:35:47+00:00","cve":"CVE-2026-46279","urls":{"html":"https://cve.report/CVE-2026-46279","api":"https://cve.report/api/cve/CVE-2026-46279.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46279","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46279"},"summary":{"title":"mm/alloc_tag: clear codetag for pages allocated before page_ext initialization","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/alloc_tag: clear codetag for pages allocated before page_ext initialization\n\nDue to initialization ordering, page_ext is allocated and initialized\nrelatively late during boot. Some pages have already been allocated and\nfreed before page_ext becomes available, leaving their codetag\nuninitialized.\n\nA clear example is in init_section_page_ext(): alloc_page_ext() calls\nkmemleak_alloc(). If the slab cache has no free objects, it falls back to\nthe buddy allocator to allocate memory. However, at this point page_ext\nis not yet fully initialized, so these newly allocated pages have no\ncodetag set. These pages may later be reclaimed by KASAN, which causes\nthe warning to trigger when they are freed because their codetag ref is\nstill empty.\n\nUse a global array to track pages allocated before page_ext is fully\ninitialized. The array size is fixed at 8192 entries, and will emit a\nwarning if this limit is exceeded. When page_ext initialization\ncompletes, set their codetag to empty to avoid warnings when they are\nfreed later.\n\nThis warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and\nmem_profiling_compressed disabled:\n\n[ 9.582133] ------------[ cut here ]------------\n[ 9.582137] alloc_tag was not set\n[ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1\n[ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy)\n[ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550\n[ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7\n[ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246\n[ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c\n[ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460\n[ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324\n[ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00\n[ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360\n[ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000\n[ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0\n[ 9.582211] PKRU: 55555554\n[ 9.582212] Call Trace:\n[ 9.582213] \n[ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10\n[ 9.582216] ? check_bytes_and_report+0x68/0x140\n[ 9.582219] __free_frozen_pages+0x2e4/0x1150\n[ 9.582221] ? __free_slab+0xc2/0x2b0\n[ 9.582224] qlist_free_all+0x4c/0xf0\n[ 9.582227] kasan_quarantine_reduce+0x15d/0x180\n[ 9.582229] __kasan_slab_alloc+0x69/0x90\n[ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500\n[ 9.582234] do_getname+0x96/0x310\n[ 9.582237] do_readlinkat+0x91/0x2f0\n[ 9.582239] ? __pfx_do_readlinkat+0x10/0x10\n[ 9.582240] ? get_random_bytes_user+0x1df/0x2c0\n[ 9.582244] __x64_sys_readlinkat+0x96/0x100\n[ 9.582246] do_syscall_64+0xce/0x650\n[ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0\n[ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10\n[ 9.582254] ? do_syscall_64+0x114/0x650\n[ 9.582255] ? ksys_read+0xfc/0x1d0\n[ 9.582258] ? __pfx_ksys_read+0x10/0x10\n[ 9.582260] ? do_syscall_64+0x114/0x650\n[ 9.582262] ? do_syscall_64+0x114/0x650\n[ 9.582264] ? __pfx_fput_close_sync+0x10/0x10\n[ 9.582266] ? file_close_fd_locked+0x178/0x2a0\n[ 9.582268] ? __x64_sys_faccessat2+0x96/0x100\n[ 9.582269] ? __x64_sys_close+0x7d/0xd0\n[ 9.582271] ? do_syscall_64+0x114/0x650\n[ 9.582273] ? do_syscall_64+0x114/0x650\n[ 9.582275] ? clear_bhb_loop+0x50/0xa0\n[ 9.582277] ? clear_bhb_l\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-08 17:16:45","updated_at":"2026-06-08 17:16:45"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/b49dfabc38cad5e50af24f63edd124a10de3ebb6","name":"https://git.kernel.org/stable/c/b49dfabc38cad5e50af24f63edd124a10de3ebb6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6b1842775a460245e97d36d3a67d0cfba7c4ff79","name":"https://git.kernel.org/stable/c/6b1842775a460245e97d36d3a67d0cfba7c4ff79","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d5b495ba9de0423ef39f8bd86729a885870c7efe","name":"https://git.kernel.org/stable/c/d5b495ba9de0423ef39f8bd86729a885870c7efe","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46279","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46279","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected dcfe378c81f72f146890ce1dcfdcc742d3b66924 d5b495ba9de0423ef39f8bd86729a885870c7efe git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected dcfe378c81f72f146890ce1dcfdcc742d3b66924 b49dfabc38cad5e50af24f63edd124a10de3ebb6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected dcfe378c81f72f146890ce1dcfdcc742d3b66924 6b1842775a460245e97d36d3a67d0cfba7c4ff79 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.27 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.4 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46279","cve":"CVE-2026-46279","epss":"0.000220000","percentile":"0.063970000","score_date":"2026-06-14","updated_at":"2026-06-15 00:14:09"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/linux/alloc_tag.h","include/linux/pgalloc_tag.h","lib/alloc_tag.c","mm/page_alloc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d5b495ba9de0423ef39f8bd86729a885870c7efe","status":"affected","version":"dcfe378c81f72f146890ce1dcfdcc742d3b66924","versionType":"git"},{"lessThan":"b49dfabc38cad5e50af24f63edd124a10de3ebb6","status":"affected","version":"dcfe378c81f72f146890ce1dcfdcc742d3b66924","versionType":"git"},{"lessThan":"6b1842775a460245e97d36d3a67d0cfba7c4ff79","status":"affected","version":"dcfe378c81f72f146890ce1dcfdcc742d3b66924","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/linux/alloc_tag.h","include/linux/pgalloc_tag.h","lib/alloc_tag.c","mm/page_alloc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.10"},{"lessThan":"6.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.27","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.27","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.4","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","versionStartIncluding":"6.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/alloc_tag: clear codetag for pages allocated before page_ext initialization\n\nDue to initialization ordering, page_ext is allocated and initialized\nrelatively late during boot. Some pages have already been allocated and\nfreed before page_ext becomes available, leaving their codetag\nuninitialized.\n\nA clear example is in init_section_page_ext(): alloc_page_ext() calls\nkmemleak_alloc(). If the slab cache has no free objects, it falls back to\nthe buddy allocator to allocate memory. However, at this point page_ext\nis not yet fully initialized, so these newly allocated pages have no\ncodetag set. These pages may later be reclaimed by KASAN, which causes\nthe warning to trigger when they are freed because their codetag ref is\nstill empty.\n\nUse a global array to track pages allocated before page_ext is fully\ninitialized. The array size is fixed at 8192 entries, and will emit a\nwarning if this limit is exceeded. When page_ext initialization\ncompletes, set their codetag to empty to avoid warnings when they are\nfreed later.\n\nThis warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and\nmem_profiling_compressed disabled:\n\n[ 9.582133] ------------[ cut here ]------------\n[ 9.582137] alloc_tag was not set\n[ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1\n[ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy)\n[ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550\n[ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7\n[ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246\n[ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c\n[ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460\n[ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324\n[ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00\n[ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360\n[ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000\n[ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0\n[ 9.582211] PKRU: 55555554\n[ 9.582212] Call Trace:\n[ 9.582213] \n[ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10\n[ 9.582216] ? check_bytes_and_report+0x68/0x140\n[ 9.582219] __free_frozen_pages+0x2e4/0x1150\n[ 9.582221] ? __free_slab+0xc2/0x2b0\n[ 9.582224] qlist_free_all+0x4c/0xf0\n[ 9.582227] kasan_quarantine_reduce+0x15d/0x180\n[ 9.582229] __kasan_slab_alloc+0x69/0x90\n[ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500\n[ 9.582234] do_getname+0x96/0x310\n[ 9.582237] do_readlinkat+0x91/0x2f0\n[ 9.582239] ? __pfx_do_readlinkat+0x10/0x10\n[ 9.582240] ? get_random_bytes_user+0x1df/0x2c0\n[ 9.582244] __x64_sys_readlinkat+0x96/0x100\n[ 9.582246] do_syscall_64+0xce/0x650\n[ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0\n[ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10\n[ 9.582254] ? do_syscall_64+0x114/0x650\n[ 9.582255] ? ksys_read+0xfc/0x1d0\n[ 9.582258] ? __pfx_ksys_read+0x10/0x10\n[ 9.582260] ? do_syscall_64+0x114/0x650\n[ 9.582262] ? do_syscall_64+0x114/0x650\n[ 9.582264] ? __pfx_fput_close_sync+0x10/0x10\n[ 9.582266] ? file_close_fd_locked+0x178/0x2a0\n[ 9.582268] ? __x64_sys_faccessat2+0x96/0x100\n[ 9.582269] ? __x64_sys_close+0x7d/0xd0\n[ 9.582271] ? do_syscall_64+0x114/0x650\n[ 9.582273] ? do_syscall_64+0x114/0x650\n[ 9.582275] ? clear_bhb_loop+0x50/0xa0\n[ 9.582277] ? clear_bhb_l\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-06-08T15:41:21.972Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d5b495ba9de0423ef39f8bd86729a885870c7efe"},{"url":"https://git.kernel.org/stable/c/b49dfabc38cad5e50af24f63edd124a10de3ebb6"},{"url":"https://git.kernel.org/stable/c/6b1842775a460245e97d36d3a67d0cfba7c4ff79"}],"title":"mm/alloc_tag: clear codetag for pages allocated before page_ext initialization","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46279","datePublished":"2026-06-08T15:41:21.972Z","dateReserved":"2026-05-13T15:03:33.109Z","dateUpdated":"2026-06-08T15:41:21.972Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-08 17:16:45","lastModifiedDate":"2026-06-08 17:16:45","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46279","Ordinal":"1","Title":"mm/alloc_tag: clear codetag for pages allocated before page_ext ","CVE":"CVE-2026-46279","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46279","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/alloc_tag: clear codetag for pages allocated before page_ext initialization\n\nDue to initialization ordering, page_ext is allocated and initialized\nrelatively late during boot. Some pages have already been allocated and\nfreed before page_ext becomes available, leaving their codetag\nuninitialized.\n\nA clear example is in init_section_page_ext(): alloc_page_ext() calls\nkmemleak_alloc(). If the slab cache has no free objects, it falls back to\nthe buddy allocator to allocate memory. However, at this point page_ext\nis not yet fully initialized, so these newly allocated pages have no\ncodetag set. These pages may later be reclaimed by KASAN, which causes\nthe warning to trigger when they are freed because their codetag ref is\nstill empty.\n\nUse a global array to track pages allocated before page_ext is fully\ninitialized. The array size is fixed at 8192 entries, and will emit a\nwarning if this limit is exceeded. When page_ext initialization\ncompletes, set their codetag to empty to avoid warnings when they are\nfreed later.\n\nThis warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and\nmem_profiling_compressed disabled:\n\n[ 9.582133] ------------[ cut here ]------------\n[ 9.582137] alloc_tag was not set\n[ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1\n[ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy)\n[ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550\n[ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7\n[ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246\n[ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c\n[ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460\n[ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324\n[ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00\n[ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360\n[ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000\n[ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0\n[ 9.582211] PKRU: 55555554\n[ 9.582212] Call Trace:\n[ 9.582213] \n[ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10\n[ 9.582216] ? check_bytes_and_report+0x68/0x140\n[ 9.582219] __free_frozen_pages+0x2e4/0x1150\n[ 9.582221] ? __free_slab+0xc2/0x2b0\n[ 9.582224] qlist_free_all+0x4c/0xf0\n[ 9.582227] kasan_quarantine_reduce+0x15d/0x180\n[ 9.582229] __kasan_slab_alloc+0x69/0x90\n[ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500\n[ 9.582234] do_getname+0x96/0x310\n[ 9.582237] do_readlinkat+0x91/0x2f0\n[ 9.582239] ? __pfx_do_readlinkat+0x10/0x10\n[ 9.582240] ? get_random_bytes_user+0x1df/0x2c0\n[ 9.582244] __x64_sys_readlinkat+0x96/0x100\n[ 9.582246] do_syscall_64+0xce/0x650\n[ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0\n[ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10\n[ 9.582254] ? do_syscall_64+0x114/0x650\n[ 9.582255] ? ksys_read+0xfc/0x1d0\n[ 9.582258] ? __pfx_ksys_read+0x10/0x10\n[ 9.582260] ? do_syscall_64+0x114/0x650\n[ 9.582262] ? do_syscall_64+0x114/0x650\n[ 9.582264] ? __pfx_fput_close_sync+0x10/0x10\n[ 9.582266] ? file_close_fd_locked+0x178/0x2a0\n[ 9.582268] ? __x64_sys_faccessat2+0x96/0x100\n[ 9.582269] ? __x64_sys_close+0x7d/0xd0\n[ 9.582271] ? do_syscall_64+0x114/0x650\n[ 9.582273] ? do_syscall_64+0x114/0x650\n[ 9.582275] ? clear_bhb_loop+0x50/0xa0\n[ 9.582277] ? clear_bhb_l\n---truncated---","Type":"Description","Title":"mm/alloc_tag: clear codetag for pages allocated before page_ext "}]}}}