GHSA-CX4P-78XJ-392Q
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, alloc_frozen_pages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists.
With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module:
BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace: dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 get_page_from_freelist+0xeb/0x450 alloc_frozen_pages_nolock_noprof+0x111/0x1e0 allocate_slab+0x42a/0x500 ___slab_alloc+0xa7/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...]
Fix this by returning NULL early when invoked from NMI on a UP kernel.
{
"affected": [],
"aliases": [
"CVE-2026-46035"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:22Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP\n\nOn UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that\nunconditionally succeeds even when the lock is already held. As a\nresult, alloc_frozen_pages_nolock() called from NMI context can\nre-enter rmqueue() and acquire the zone lock that the interrupted\ncontext is already holding, corrupting the freelists.\n\nWith CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with\nthe slub_kunit test module:\n\n BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243\n [...]\n Call Trace:\n \u003cNMI\u003e\n dump_stack_lvl+0x3f/0x60\n do_raw_spin_trylock+0x41/0x50\n _raw_spin_trylock+0x24/0x50\n rmqueue.isra.0+0x2a9/0xa70\n get_page_from_freelist+0xeb/0x450\n alloc_frozen_pages_nolock_noprof+0x111/0x1e0\n allocate_slab+0x42a/0x500\n ___slab_alloc+0xa7/0x4c0\n kmalloc_nolock_noprof+0x164/0x310\n [...]\n \u003c/NMI\u003e\n\nFix this by returning NULL early when invoked from NMI on a UP kernel.",
"id": "GHSA-cx4p-78xj-392q",
"modified": "2026-05-27T15:33:21Z",
"published": "2026-05-27T15:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46035"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05b4ed8bef30bba4f559c8d835e2dd20c48cf8a4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/620b46ed6ae17c8438d889c8c0cfddab36a1476c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6d57efeaae3f3b3656514f600eac96be713d90e"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.