Concurrency Vulnerability in Linux Kernel Affecting Memory Management
CVE-2026-46093

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46093?

A concurrency vulnerability exists in the memory management subsystem of the Linux kernel, specifically within the decay_va_pool_node() function. The function can be invoked concurrently from two different execution paths, leading to potential race conditions and memory leaks. This issue arises during the execution of __purge_vmap_area_lazy() and via the shrinker through vmap_node_shrink_scan(), where inadequate serialization poses risks to system stability. To address this vulnerability, the vmap_purge_lock must be acquired in the shrinker path, ensuring safe concurrent execution and preventing data corruption.

Affected Version(s)

Linux 7679ba6b36dbb300b757b672d6a32a606499e14b < 687ccdf582169cd680aeaf24cc953807c4cd4345

Linux 7679ba6b36dbb300b757b672d6a32a606499e14b < 12f2341b4c235d5593a433abac201c1c6725787f

Linux 7679ba6b36dbb300b757b672d6a32a606499e14b

References

https://git.kernel.org/stable/c/687ccdf582169cd680aeaf24c...

https://git.kernel.org/stable/c/12f2341b4c235d5593a433aba...

https://git.kernel.org/stable/c/ec05f51f1e65bce95528543eb...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46093 Data

JSON