{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23056", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.951Z", "datePublished": "2026-02-04T16:07:34.787Z", "dateUpdated": "2026-05-11T21:59:08.964Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:08.964Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: implement mremap in uacce_vm_ops to return -EPERM\n\nThe current uacce_vm_ops does not support the mremap operation of\nvm_operations_struct. Implement .mremap to return -EPERM to remind\nusers.\n\nThe reason we need to explicitly disable mremap is that when the\ndriver does not implement .mremap, it uses the default mremap\nmethod. This could lead to a risk scenario:\n\nAn application might first mmap address p1, then mremap to p2,\nfollowed by munmap(p1), and finally munmap(p2). Since the default\nmremap copies the original vma's vm_private_data (i.e., q) to the\nnew vma, both munmap operations would trigger vma_close, causing\nq->qfr to be freed twice(qfr will be set to null here, so repeated\nrelease is ok)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/uacce/uacce.c"], "versions": [{"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "78d99f062d42e3af2ca46bde1a8e46e0dfd372e3", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "ebfa85658a39b49ec3901ceea7535b73aa0429e6", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "4c042bc71474dbe417c268f4bfb8ec196f802f07", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "a407ddd61b3e6afc5ccfcd1478797171cf5686ee", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "ba29b59d124e725e0377f09b2044909c91d657a1", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "02695347be532b628f22488300d40c4eba48b9b7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/uacce/uacce.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3"}, {"url": "https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6"}, {"url": "https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f"}, {"url": "https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07"}, {"url": "https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee"}, {"url": "https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1"}, {"url": "https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7"}], "title": "uacce: implement mremap in uacce_vm_ops to return -EPERM", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: implement mremap in uacce_vm_ops to return -EPERM\n\nThe current uacce_vm_ops does not support the mremap operation of\nvm_operations_struct. Implement .mremap to return -EPERM to remind\nusers.\n\nThe reason we need to explicitly disable mremap is that when the\ndriver does not implement .mremap, it uses the default mremap\nmethod. This could lead to a risk scenario:\n\nAn application might first mmap address p1, then mremap to p2,\nfollowed by munmap(p1), and finally munmap(p2). Since the default\nmremap copies the original vma's vm_private_data (i.e., q) to the\nnew vma, both munmap operations would trigger vma_close, causing\nq->qfr to be freed twice(qfr will be set to null here, so repeated\nrelease is ok)."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nuacce: implementar mremap en uacce_vm_ops para devolver -EPERM\n\nEl uacce_vm_ops actual no soporta la operaci\u00f3n mremap de vm_operations_struct. Implementar .mremap para devolver -EPERM para recordar a los usuarios.\n\nLa raz\u00f3n por la que necesitamos deshabilitar expl\u00edcitamente mremap es que cuando el controlador no implementa .mremap, utiliza el m\u00e9todo mremap predeterminado. Esto podr\u00eda llevar a un escenario de riesgo:\n\nUna aplicaci\u00f3n podr\u00eda primero mmap la direcci\u00f3n p1, luego mremap a p2, seguido de munmap(p1), y finalmente munmap(p2). Dado que el mremap predeterminado copia el vm_private_data del vma original (es decir, q) al nuevo vma, ambas operaciones munmap activar\u00edan vma_close, causando que q->qfr se libere dos veces (qfr se establecer\u00e1 en nulo aqu\u00ed, por lo que la liberaci\u00f3n repetida est\u00e1 bien)."}], "id": "CVE-2026-23056", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T17:16:16.273", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: uacce: implement mremap in uacce_vm_ops to return -EPERM", "id": "2436757", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436757"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23056", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23056\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23056\nhttps://lore.kernel.org/linux-cve-announce/2026020413-CVE-2026-23056-ddc8@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T13:57:16.422413+00:00", "value": {"mitigation_remediation": ["Apply the Linux kernel patch that adds a .mremap entry returning -EPERM to the uacce driver\u2019s vm_ops structure using the commit references provided in the advisory.", "Rebuild and install the kernel containing the patch, ensuring the uacce driver is linked against the updated vm_ops code. Verify that the driver is loaded from the patched kernel image.", "If upgrading the kernel is not immediately feasible, disable or restrict the use of the uacce device in user applications so that mmap/mremap sequences cannot be executed against it, thereby eliminating the double\u2011free risk until a patch can be applied."], "summary": {"action": "Patch Required", "impact": "Potential double free leading to memory corruption in the uacce driver"}, "threat_synthesis": {"affected_systems": "Linux Kernel, specifically the uacce driver component. No specific kernel version numbers are provided in the advisory, but the issue exists in any kernel revision lacking the mremap implementation for the uacce driver. The advisory references multiple Git commits that introduce the fix, indicating the problem was present in the mainline kernel up to the latest stable release at the time of the advisory.", "description_and_impact": "The uacce driver in the Linux kernel lacks a mremap operation in its vm_ops structure. Without an explicit handler, the kernel defaults to a generic mremap routine that copies the original VMA\u2019s private data to a new VMA. If an application maps a region, remaps it, and then unmaps both the original and remapped areas, the default behavior causes the driver\u2019s q->qfr resource to be released twice. Although the driver subsequently nulls the pointer to avoid a repeated release, the double\u2011free risk remains a classic vulnerability that could be leveraged to corrupt memory or crash the system. Signalling EPERM prevents this scenario but requires an upgrade.", "risk_and_exploitability": "The Exploit Prediction Scoring System (EPSS) indicates a probability of exploitation less than 1%, placing the risk in the very low range. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue, suggesting that no public, active exploitation has been documented. The absence of a CVSS score in the advisory makes it difficult to quantify severity precisely, but the potential for a double\u2011free memory corruption and the local nature of the required calls point toward a moderate to high impact if exploited. Nonetheless, because the default behavior mitigates some aspects (nulling the pointer) and because available systems are expected to apply the fix soon, the immediate threat level remains low. However, it is advisable to apply the available patch promptly, as a double\u2011free can lead to denial of service or, in some contexts, privilege escalation if the corrupted memory can be leveraged."}}}}, "created": "2026-04-18T14:00:02.187294+00:00", "updated": "2026-04-18T14:00:02.187318+00:00", "vendors": [], "weaknesses": ["CWE-415"]}