HOMEVULNERABILITIESCVE-2026-23225
NONE

CVE-2026-23225

Published: February 18, 2026· Updated: Feb 23, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

sched/mmcid: Don't assume CID is CPU owned on mode switch

Shinichiro reported a KASAN UAF, which is actually an out of bounds access

in the MMCID management code.

CPU0 CPU1

T1 runs in userspace

T0: fork(T4) -> Switch to per CPU CID mode

fixup() set MM_CID_TRANSIT on T1/CPU1

T4 exit()

T3 exit()

T2 exit()

T1 exit() switch to per task mode

---> Out of bounds access.

As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the

TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in

the task and drops the CID, but it does not touch the per CPU storage.

That's functionally correct because a CID is only owned by the CPU when

the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.

Now sched_mm_cid_exit() assumes that the CID is CPU owned because the

prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the

not set ONCPU bit and then invokes clear_bit() with an insanely large

bit number because TRANSIT is set (bit 29).

Prevent that by actually validating that the CID is CPU owned in

mm_drop_cid_on_cpu().

NVD Source

Technical Analysis

CVE-2026-23225 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-23225
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedFeb 18, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23225 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.