Linux Kernel: cgroup/dmem Memory Leak in Pool

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Linux Kernel: cgroup/dmem Memory Leak in Pool

UBUNTU-CVE-2026-23195

Summary

A memory leak bug was found in the Linux kernel's cgroup/dmem module, which could cause data corruption or crashes. This issue is now fixed in a recent kernel update. To ensure your system is protected, apply the latest kernel update to fix this problem.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
canonical	linux-hwe-edge	All versions	–
canonical	linux-aws-5.0	All versions	–
canonical	linux-aws-5.3	All versions	–
canonical	linux-azure	All versions	–
canonical	linux-azure-5.3	All versions	–
canonical	linux-azure-edge	All versions	–
canonical	linux-gcp	All versions	–
canonical	linux-gcp-5.3	All versions	–
canonical	linux-gke-4.15	All versions	–
canonical	linux-gke-5.4	All versions	–
canonical	linux-gkeop-5.4	All versions	–
canonical	linux-hwe	All versions	–
canonical	linux-hwe-edge	All versions	–
canonical	linux-oem	All versions	–
canonical	linux-oracle-5.0	All versions	–
canonical	linux-oracle-5.3	All versions	–
canonical	linux-aws-5.11	All versions	–
canonical	linux-aws-5.13	All versions	–
canonical	linux-aws-5.8	All versions	–
canonical	linux-azure-5.11	All versions	–
canonical	linux-azure-5.13	All versions	–
canonical	linux-azure-5.8	All versions	–
canonical	linux-azure-fde	All versions	–
canonical	linux-gcp-5.11	All versions	–
canonical	linux-gcp-5.13	All versions	–
canonical	linux-gcp-5.8	All versions	–
canonical	linux-gke	All versions	–
canonical	linux-gke-5.15	All versions	–
canonical	linux-gkeop	All versions	–
canonical	linux-gkeop-5.15	All versions	–
canonical	linux-hwe-5.11	All versions	–
canonical	linux-hwe-5.13	All versions	–
canonical	linux-hwe-5.8	All versions	–
canonical	linux-intel-5.13	All versions	–
canonical	linux-oem-5.10	All versions	–
canonical	linux-oem-5.13	All versions	–
canonical	linux-oem-5.14	All versions	–
canonical	linux-oem-5.6	All versions	–
canonical	linux-oracle-5.11	All versions	–
canonical	linux-oracle-5.13	All versions	–
canonical	linux-oracle-5.8	All versions	–
canonical	linux-raspi2	All versions	–
canonical	linux-riscv	All versions	–
canonical	linux-riscv-5.11	All versions	–
canonical	linux-riscv-5.8	All versions	–
canonical	linux-allwinner-5.19	All versions	–
canonical	linux-aws-5.19	All versions	–
canonical	linux-aws-6.2	All versions	–
canonical	linux-aws-6.5	All versions	–
canonical	linux-azure-5.19	All versions	–
canonical	linux-azure-6.2	All versions	–
canonical	linux-azure-6.5	All versions	–
canonical	linux-azure-fde-5.19	All versions	–
canonical	linux-azure-fde-6.2	All versions	–
canonical	linux-gcp-5.19	All versions	–
canonical	linux-gcp-6.2	All versions	–
canonical	linux-gcp-6.5	All versions	–
canonical	linux-hwe-5.19	All versions	–
canonical	linux-hwe-6.2	All versions	–
canonical	linux-hwe-6.5	All versions	–
canonical	linux-intel-iot-realtime	All versions	–
canonical	linux-lowlatency-hwe-5.19	All versions	–
canonical	linux-lowlatency-hwe-6.2	All versions	–
canonical	linux-lowlatency-hwe-6.5	All versions	–
canonical	linux-nvidia-6.2	All versions	–
canonical	linux-nvidia-6.5	All versions	–
canonical	linux-oem-5.17	All versions	–
canonical	linux-oem-6.0	All versions	–
canonical	linux-oem-6.1	All versions	–
canonical	linux-oem-6.5	All versions	–
canonical	linux-oracle-6.5	All versions	–
canonical	linux-realtime	All versions	–
canonical	linux-riscv	All versions	–
canonical	linux-riscv-5.19	All versions	–
canonical	linux-riscv-6.5	All versions	–
canonical	linux-starfive-5.19	All versions	–
canonical	linux-starfive-6.2	All versions	–
canonical	linux-starfive-6.5	All versions	–
canonical	linux-aws-6.14	All versions	–
canonical	linux-aws-6.17	All versions	–
canonical	linux-azure-6.11	All versions	–
canonical	linux-azure-6.14	All versions	–
canonical	linux-azure-6.17	All versions	–
canonical	linux-azure-fde-6.14	All versions	–
canonical	linux-azure-fde-6.17	All versions	–
canonical	linux-azure-nvidia-6.14	All versions	–
canonical	linux-gcp-6.11	All versions	–
canonical	linux-gcp-6.14	All versions	–
canonical	linux-gcp-6.17	All versions	–
canonical	linux-hwe-6.11	All versions	–
canonical	linux-hwe-6.14	All versions	–
canonical	linux-hwe-6.17	All versions	–
canonical	linux-lowlatency-hwe-6.11	All versions	–
canonical	linux-nvidia-6.11	All versions	–
canonical	linux-oem-6.11	All versions	–
canonical	linux-oem-6.14	All versions	–
canonical	linux-oem-6.17	All versions	–
canonical	linux-oem-6.8	All versions	–
canonical	linux-oracle-6.14	All versions	–
canonical	linux-oracle-6.17	All versions	–
canonical	linux-raspi-realtime	All versions	–
canonical	linux-realtime	All versions	–
canonical	linux-riscv	All versions	–
canonical	linux-riscv-6.14	All versions	–
canonical	linux-riscv-6.17	All versions	–
canonical	linux-realtime-6.14	All versions	–
canonical	linux	All versions	–
canonical	linux-aws	All versions	–
canonical	linux-azure	All versions	–
canonical	linux-azure-fde	All versions	–
canonical	linux-gcp	All versions	–
canonical	linux-oracle	All versions	–
canonical	linux-raspi	All versions	–
canonical	linux-realtime	All versions	–
canonical	linux-riscv	All versions	–

Original title

Original description

In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Allocated by task 527: Freed by task 0: The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600) The buggy address belongs to the physical page: Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete). This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.

https://ubuntu.com/security/CVE-2026-23195 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2026-23195 Third Party Advisory
https://git.kernel.org/linus/99a2ef500906138ba58093b9893972a5c303c734 Third Party Advisory
https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734 Third Party Advisory
https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5 Third Party Advisory

Published: 14 Feb 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026