CVE-2026-23161 [High] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of truncate and swap entry split The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and it may get an outdated order value if the entry is split or changed in other ways after the xa_get_order and before the xa_cmpxchg_irq. And besides, the order could grow and be larger than expected, and cause truncation to erase data beyond the end border. For example, if the target entry and following entries are swapped in or freed, then a large folio was added in place and swapped out, using the same entry, the xa_cmpxchg_irq will still succeed, it's very unlikely to happen though. To fix that, open code the Xarray cmpxchg and put the order retrieval and value checking in the same critical section. Also, ensure the order won't exceed the end border, skip it if the entry goes across the border. Skipping large swap entries crosses the end border is safe here. Shmem truncate iterates the range twice, in the first iteration, find_lock_entries already filtered such entries, and shmem will swapin the entries that cross the end border and partially truncate the folio (split the folio or at least zero part of it). So in the second loop here, if we see a swap entry that crosses the end order, it must at least have its content erased already. I observed random swapoff hangs and kernel panics when stress testing ZSWAP with shmem. After applying this patch, all problems are gone.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-02-15	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-02-15

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.3	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.5	416baaa9-dc9f-4396-8d5f-8c081fb06d67
4.7	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.0	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.3

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.5

416baaa9-dc9f-4396-8d5f-8c081fb06d67

4.7

3.1

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.0

3.6

[email protected]

OS Trackers for CVE-2026-23161

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-23161 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-23161
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-23161
`suse`	high	CVE-2026-23161 severity important: SUSE including 141 source package names (2.2.1-5.81:libblkid1-2.40.4-slfo.1.1_4.1, 2.2.1-5.81:libfdisk1-2.40.4-slfo.1.1_4.1, …), 468 product×package rows across 53 product lines (Container suse/sl-micro/6.1/baremetal-os-container, Container suse/sl-micro/6.1/base-os-container, … (53 product lines)): Fixed 227, Known Not Affected 216, First Fixed 25.	https://www.suse.com/security/cve/CVE-2026-23161/
`ubuntu`	medium	CVE-2026-23161 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1256 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): DNE 871, ignored 169, not-affected 112, released 83, needed 21.	https://ubuntu.com/security/CVE-2026-23161

Affected software / configurations for CVE-2026-23161

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 6.12, < 6.12.69	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.9	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::

References for CVE-2026-23161

URL	Tags
https://git.kernel.org/stable/c/8a1968bd997f45a9b11aefeabdd1232e1b6c7184	Patch
https://git.kernel.org/stable/c/a99f9a4669a04662c8f9efe0e62cafc598153139	Patch
https://git.kernel.org/stable/c/b23bee8cdb7aabce5701a7f57414db5a354ae8ed	Patch

URL

CVE-2026-23161 | mm/shmem, swap: fix race of truncate and swap entry split

Exploit prediction scoring system (EPSS) score for CVE-2026-23161

Common vulnerability scoring system (CVSS) metrics for CVE-2026-23161

Weakness enumeration for CVE-2026-23161

OS Trackers for CVE-2026-23161

Affected software / configurations for CVE-2026-23161

References for CVE-2026-23161