mm/slab: return NULL early from kmalloc_nolock() in NMI on UP

7 / 10

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/slab: return NULL early from kmalloc_nolock() in NMI on UP

On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that
unconditionally succeeds even when the lock is already held. As a
result, kmalloc_nolock() called from NMI context can re-enter the slab
allocator and acquire n->list_lock that the interrupted context is
already holding, corrupting slab state.

With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with
the slub_kunit test module:

BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243
[...]
Call Trace:
<NMI>
dump_stack_lvl+0x3f/0x60
do_raw_spin_trylock+0x41/0x50
_raw_spin_trylock+0x24/0x50
get_from_partial_node+0x120/0x4d0
___slab_alloc+0x8a/0x4c0
kmalloc_nolock_noprof+0x164/0x310
[...]
</NMI>

Fix this by returning NULL early when invoked from NMI on a UP kernel.

Basic Information

ID CVE-2026-46029

Source Linux

Published May 27, 2026 at 12:56

Modified May 30, 2026 at 10:46

Affected Product

Vendor Linux

Product Linux

Version af92793e52c3a99b828ed4bdd277fd3e11c18d08

Affected Versions Linux Linux af92793e52c3a99b828ed4bdd277fd3e11c18d08
Linux Linux af92793e52c3a99b828ed4bdd277fd3e11c18d08
Linux Linux af92793e52c3a99b828ed4bdd277fd3e11c18d08
Linux Linux 6.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab: return NULL early from kmalloc_nolock() in NMI on UP\n\nOn UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that\nunconditionally succeeds even when the lock is already held. As a\nresult, kmalloc_nolock() called from NMI context can re-enter the slab\nallocator and acquire n->list_lock that the interrupted context is\nalready holding, corrupting slab state.\n\nWith CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with\nthe slub_kunit test module:\n\n  BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243\n  [...]\n  Call Trace:\n   <NMI>\n   dump_stack_lvl+0x3f/0x60\n   do_raw_spin_trylock+0x41/0x50\n   _raw_spin_trylock+0x24/0x50\n   get_from_partial_node+0x120/0x4d0\n   ___slab_alloc+0x8a/0x4c0\n   kmalloc_nolock_noprof+0x164/0x310\n   [...]\n   </NMI>\n\nFix this by returning NULL early when invoked from NMI on a UP kernel.",
    "published": "2026-05-27T12:56:38.376Z",
    "modified": "2026-05-30T10:46:46.112Z",
    "type": "cve",
    "title": "mm/slab: return NULL early from kmalloc_nolock() in NMI on UP",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a8d95d274be241ad21f6523bf2d6ba0d7d7e46b7\nhttps://git.kernel.org/stable/c/d66553204a15bdb257d9ef8aca1e12f5fbb910b2\nhttps://git.kernel.org/stable/c/5b31044e649e3e54c2caef135c09b371c2fbcd08",
    "id": "CVE-2026-46029",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux af92793e52c3a99b828ed4bdd277fd3e11c18d08\nLinux Linux af92793e52c3a99b828ed4bdd277fd3e11c18d08\nLinux Linux af92793e52c3a99b828ed4bdd277fd3e11c18d08\nLinux Linux 6.18",
    "sourceHref": "",
    "cvss": {
        "score": 7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "af92793e52c3a99b828ed4bdd277fd3e11c18d08",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

mm/slab: return NULL early from kmalloc_nolock() in NMI on UP_CVE-2026-46029

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply