CVE-2026-23432 PUBLISHED

mshv: Fix use-after-free in mshv_map_user_memory error path

Assigner: Linux
Reserved: 13.01.2026 Published: 03.04.2026 Updated: 03.04.2026

In the Linux kernel, the following vulnerability has been resolved:

mshv: Fix use-after-free in mshv_map_user_memory error path

In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic.

Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 to 34861bdc0c0196b6c2dd48f7454029407704ff6e (excl.)
  • affected from b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 to 6922db250422a0dfee34de322f86b7a73d713d33 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.19 is affected
  • unaffected from 0 to 6.19 (excl.)
  • unaffected from 6.19.10 to 6.19.* (incl.)
  • unaffected from 7.0-rc5 to * (incl.)

References