{"id":77386,"date":"2026-02-18T19:52:32","date_gmt":"2026-02-18T16:22:32","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-23225-sched-mmcid-dont-assume-cid-is-cpu-owned-on-mode-switch\/"},"modified":"2026-02-18T19:52:32","modified_gmt":"2026-02-18T16:22:32","slug":"cve-2026-23225-sched-mmcid-dont-assume-cid-is-cpu-owned-on-mode-switch","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-23225-sched-mmcid-dont-assume-cid-is-cpu-owned-on-mode-switch\/","title":{"rendered":"CVE-2026-23225 – sched\/mmcid: Don’t assume CID is CPU owned on mode switch"},"content":{"rendered":"

CVE ID : CVE-2026-23225<\/p>\n

Published : Feb. 18, 2026, 4:22 p.m. | 37\u00a0minutes ago<\/p>\n

Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n

sched\/mmcid: Don’t assume CID is CPU owned on mode switch<\/p>\n

Shinichiro reported a KASAN UAF, which is actually an out of bounds access
\nin the MMCID management code.<\/p>\n

CPU0\t\t\t\t\t\tCPU1
\n \t\t\t\t\t\tT1 runs in userspace
\n T0: fork(T4) -> Switch to per CPU CID mode
\n fixup() set MM_CID_TRANSIT on T1\/CPU1
\n T4 exit()
\n T3 exit()
\n T2 exit()
\n\t\t\t\t\t\tT1 exit() switch to per task mode
\n\t\t\t\t\t\t —> Out of bounds access.<\/p>\n

As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the
\nTRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in
\nthe task and drops the CID, but it does not touch the per CPU storage.
\nThat’s functionally correct because a CID is only owned by the CPU when
\nthe ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.<\/p>\n

Now sched_mm_cid_exit() assumes that the CID is CPU owned because the
\nprior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the
\nnot set ONCPU bit and then invokes clear_bit() with an insanely large
\nbit number because TRANSIT is set (bit 29).<\/p>\n

Prevent that by actually validating that the CID is CPU owned in
\nmm_drop_cid_on_cpu().<\/p>\n

Severity: 0.0 | NA<\/p>\n

Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE ID : CVE-2026-23225 Published : Feb. 18, 2026, 4:22 p.m. | 37\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: sched\/mmcid: Don’t assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-77386","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=77386"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77386\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=77386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=77386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=77386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}