2436757 – (CVE-2026-23056) CVE-2026-23056 kernel: uacce: implement mremap in uacce_vm_ops to return -EPERM

Bug 2436757 (CVE-2026-23056) - CVE-2026-23056 kernel: uacce: implement mremap in uacce_vm_ops to return -EPERM

Summary: CVE-2026-23056 kernel: uacce: implement mremap in uacce_vm_ops to return -EPERM

Keywords:
Status:	NEW
Alias:	CVE-2026-23056
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-04 17:01 UTC by OSIDB Bzimport
Modified:	2026-02-05 09:47 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-04 17:01:53 UTC

In the Linux kernel, the following vulnerability has been resolved:

uacce: implement mremap in uacce_vm_ops to return -EPERM

The current uacce_vm_ops does not support the mremap operation of
vm_operations_struct. Implement .mremap to return -EPERM to remind
users.

The reason we need to explicitly disable mremap is that when the
driver does not implement .mremap, it uses the default mremap
method. This could lead to a risk scenario:

An application might first mmap address p1, then mremap to p2,
followed by munmap(p1), and finally munmap(p2). Since the default
mremap copies the original vma's vm_private_data (i.e., q) to the
new vma, both munmap operations would trigger vma_close, causing
q->qfr to be freed twice(qfr will be set to null here, so repeated
release is ok).

Comment 1 TEJ RATHI 2026-02-05 09:21:55 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026020413-CVE-2026-23056-ddc8@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.