CVE-2026-23219 (GCVE-0-2026-23219)

Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-02-18 14:21
VLAI?
Title
mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378) [ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998 [ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G W 6.19.0-rc7+ #7 PREEMPT(voluntary) [ 3959.024182] Tainted: [W]=WARN [ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3959.024199] pc : alloc_tag_add+0x128/0x178 [ 3959.024207] lr : alloc_tag_add+0x128/0x178 [ 3959.024214] sp : ffff80008b696d60 [ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240 [ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860 [ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0 [ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000 [ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293 [ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000 [ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001 [ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838 [ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640 [ 3959.024340] Call trace: [ 3959.024346] alloc_tag_add+0x128/0x178 (P) [ 3959.024355] __alloc_tagging_slab_alloc_hook+0x11c/0x1a8 [ 3959.024362] kmem_cache_alloc_lru_noprof+0x1b8/0x5e8 [ 3959.024369] xas_alloc+0x304/0x4f0 [ 3959.024381] xas_create+0x1e0/0x4a0 [ 3959.024388] xas_store+0x68/0xda8 [ 3959.024395] __filemap_add_folio+0x5b0/0xbd8 [ 3959.024409] filemap_add_folio+0x16c/0x7e0 [ 3959.024416] __filemap_get_folio_mpol+0x2dc/0x9e8 [ 3959.024424] iomap_get_folio+0xfc/0x180 [ 3959.024435] __iomap_get_folio+0x2f8/0x4b8 [ 3959.024441] iomap_write_begin+0x198/0xc18 [ 3959.024448] iomap_write_iter+0x2ec/0x8f8 [ 3959.024454] iomap_file_buffered_write+0x19c/0x290 [ 3959.024461] blkdev_write_iter+0x38c/0x978 [ 3959.024470] vfs_write+0x4d4/0x928 [ 3959.024482] ksys_write+0xfc/0x1f8 [ 3959.024489] __arm64_sys_write+0x74/0xb0 [ 3959.024496] invoke_syscall+0xd4/0x258 [ 3959.024507] el0_svc_common.constprop.0+0xb4/0x240 [ 3959.024514] do_el0_svc+0x48/0x68 [ 3959.024520] el0_svc+0x40/0xf8 [ 3959.024526] el0t_64_sync_handler+0xa0/0xe8 [ 3959.024533] el0t_64_sync+0x1ac/0x1b0 [ 3959.024540] ---[ end trace 0000000000000000 ]--- When __memcg_slab_post_alloc_hook() fails, there are two different free paths depending on whether size == 1 or size != 1. In the kmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook(). However, in memcg_alloc_abort_single() we don't, the above warning will be triggered on the next allocation. Therefore, add alloc_tagging_slab_free_hook() to the memcg_alloc_abort_single() path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9f9796b413d3c417f34cae427c4e47bfdd3a7454 , < b8bc72587c79fe52c14732e16a766b6eded00707 (git)
Affected: 9f9796b413d3c417f34cae427c4e47bfdd3a7454 , < e8af57e090790983591f6927b3d89ee6383f8c1e (git)
Affected: 9f9796b413d3c417f34cae427c4e47bfdd3a7454 , < e6c53ead2d8fa73206e0a63e9cd9aea6bc929837 (git)
Create a notification for this product.
    Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.70 , ≤ 6.12.* (semver)
Unaffected: 6.18.10 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b8bc72587c79fe52c14732e16a766b6eded00707",
              "status": "affected",
              "version": "9f9796b413d3c417f34cae427c4e47bfdd3a7454",
              "versionType": "git"
            },
            {
              "lessThan": "e8af57e090790983591f6927b3d89ee6383f8c1e",
              "status": "affected",
              "version": "9f9796b413d3c417f34cae427c4e47bfdd3a7454",
              "versionType": "git"
            },
            {
              "lessThan": "e6c53ead2d8fa73206e0a63e9cd9aea6bc929837",
              "status": "affected",
              "version": "9f9796b413d3c417f34cae427c4e47bfdd3a7454",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.70",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single\n\nWhen CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning\nmay be noticed:\n\n[ 3959.023862] ------------[ cut here ]------------\n[ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378)\n[ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998\n[ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject]\n[ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G        W           6.19.0-rc7+ #7 PREEMPT(voluntary)\n[ 3959.024182] Tainted: [W]=WARN\n[ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n[ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3959.024199] pc : alloc_tag_add+0x128/0x178\n[ 3959.024207] lr : alloc_tag_add+0x128/0x178\n[ 3959.024214] sp : ffff80008b696d60\n[ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240\n[ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860\n[ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0\n[ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000\n[ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293\n[ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000\n[ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001\n[ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838\n[ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640\n[ 3959.024340] Call trace:\n[ 3959.024346]  alloc_tag_add+0x128/0x178 (P)\n[ 3959.024355]  __alloc_tagging_slab_alloc_hook+0x11c/0x1a8\n[ 3959.024362]  kmem_cache_alloc_lru_noprof+0x1b8/0x5e8\n[ 3959.024369]  xas_alloc+0x304/0x4f0\n[ 3959.024381]  xas_create+0x1e0/0x4a0\n[ 3959.024388]  xas_store+0x68/0xda8\n[ 3959.024395]  __filemap_add_folio+0x5b0/0xbd8\n[ 3959.024409]  filemap_add_folio+0x16c/0x7e0\n[ 3959.024416]  __filemap_get_folio_mpol+0x2dc/0x9e8\n[ 3959.024424]  iomap_get_folio+0xfc/0x180\n[ 3959.024435]  __iomap_get_folio+0x2f8/0x4b8\n[ 3959.024441]  iomap_write_begin+0x198/0xc18\n[ 3959.024448]  iomap_write_iter+0x2ec/0x8f8\n[ 3959.024454]  iomap_file_buffered_write+0x19c/0x290\n[ 3959.024461]  blkdev_write_iter+0x38c/0x978\n[ 3959.024470]  vfs_write+0x4d4/0x928\n[ 3959.024482]  ksys_write+0xfc/0x1f8\n[ 3959.024489]  __arm64_sys_write+0x74/0xb0\n[ 3959.024496]  invoke_syscall+0xd4/0x258\n[ 3959.024507]  el0_svc_common.constprop.0+0xb4/0x240\n[ 3959.024514]  do_el0_svc+0x48/0x68\n[ 3959.024520]  el0_svc+0x40/0xf8\n[ 3959.024526]  el0t_64_sync_handler+0xa0/0xe8\n[ 3959.024533]  el0t_64_sync+0x1ac/0x1b0\n[ 3959.024540] ---[ end trace 0000000000000000 ]---\n\nWhen __memcg_slab_post_alloc_hook() fails, there are two different\nfree paths depending on whether size == 1 or size != 1. In the\nkmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook().\nHowever, in memcg_alloc_abort_single() we don\u0027t, the above warning will be\ntriggered on the next allocation.\n\nTherefore, add alloc_tagging_slab_free_hook() to the\nmemcg_alloc_abort_single() path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T14:21:57.049Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b8bc72587c79fe52c14732e16a766b6eded00707"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8af57e090790983591f6927b3d89ee6383f8c1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6c53ead2d8fa73206e0a63e9cd9aea6bc929837"
        }
      ],
      "title": "mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23219",
    "datePublished": "2026-02-18T14:21:57.049Z",
    "dateReserved": "2026-01-13T15:37:45.987Z",
    "dateUpdated": "2026-02-18T14:21:57.049Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23219\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-18T15:18:43.310\",\"lastModified\":\"2026-02-18T17:51:53.510\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single\\n\\nWhen CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning\\nmay be noticed:\\n\\n[ 3959.023862] ------------[ cut here ]------------\\n[ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378)\\n[ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998\\n[ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject]\\n[ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G        W           6.19.0-rc7+ #7 PREEMPT(voluntary)\\n[ 3959.024182] Tainted: [W]=WARN\\n[ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\\n[ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[ 3959.024199] pc : alloc_tag_add+0x128/0x178\\n[ 3959.024207] lr : alloc_tag_add+0x128/0x178\\n[ 3959.024214] sp : ffff80008b696d60\\n[ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240\\n[ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860\\n[ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0\\n[ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000\\n[ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\\n[ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293\\n[ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000\\n[ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001\\n[ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838\\n[ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640\\n[ 3959.024340] Call trace:\\n[ 3959.024346]  alloc_tag_add+0x128/0x178 (P)\\n[ 3959.024355]  __alloc_tagging_slab_alloc_hook+0x11c/0x1a8\\n[ 3959.024362]  kmem_cache_alloc_lru_noprof+0x1b8/0x5e8\\n[ 3959.024369]  xas_alloc+0x304/0x4f0\\n[ 3959.024381]  xas_create+0x1e0/0x4a0\\n[ 3959.024388]  xas_store+0x68/0xda8\\n[ 3959.024395]  __filemap_add_folio+0x5b0/0xbd8\\n[ 3959.024409]  filemap_add_folio+0x16c/0x7e0\\n[ 3959.024416]  __filemap_get_folio_mpol+0x2dc/0x9e8\\n[ 3959.024424]  iomap_get_folio+0xfc/0x180\\n[ 3959.024435]  __iomap_get_folio+0x2f8/0x4b8\\n[ 3959.024441]  iomap_write_begin+0x198/0xc18\\n[ 3959.024448]  iomap_write_iter+0x2ec/0x8f8\\n[ 3959.024454]  iomap_file_buffered_write+0x19c/0x290\\n[ 3959.024461]  blkdev_write_iter+0x38c/0x978\\n[ 3959.024470]  vfs_write+0x4d4/0x928\\n[ 3959.024482]  ksys_write+0xfc/0x1f8\\n[ 3959.024489]  __arm64_sys_write+0x74/0xb0\\n[ 3959.024496]  invoke_syscall+0xd4/0x258\\n[ 3959.024507]  el0_svc_common.constprop.0+0xb4/0x240\\n[ 3959.024514]  do_el0_svc+0x48/0x68\\n[ 3959.024520]  el0_svc+0x40/0xf8\\n[ 3959.024526]  el0t_64_sync_handler+0xa0/0xe8\\n[ 3959.024533]  el0t_64_sync+0x1ac/0x1b0\\n[ 3959.024540] ---[ end trace 0000000000000000 ]---\\n\\nWhen __memcg_slab_post_alloc_hook() fails, there are two different\\nfree paths depending on whether size == 1 or size != 1. In the\\nkmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook().\\nHowever, in memcg_alloc_abort_single() we don\u0027t, the above warning will be\\ntriggered on the next allocation.\\n\\nTherefore, add alloc_tagging_slab_free_hook() to the\\nmemcg_alloc_abort_single() path.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/b8bc72587c79fe52c14732e16a766b6eded00707\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6c53ead2d8fa73206e0a63e9cd9aea6bc929837\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e8af57e090790983591f6927b3d89ee6383f8c1e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.