CVE-2026-46093 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams managing systems where untrusted users may create memory pressure conditions

Technical summary

The Linux kernel's vmalloc subsystem contains a race condition where decay_va_pool_node() can be called concurrently from two paths: __purge_vmap_area_lazy() (which holds vmap_purge_lock) and vmap_node_shrink_scan() (the shrinker path, which did not). This concurrent execution without proper locking could lead to races and memory leaks. The resolution adds vmap_purge_lock acquisition in the shrinker path to ensure serialization with purge users. The vulnerability is local-only and requires conditions that trigger shrinker activation.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available for your distribution
• Monitor vendor security advisories for kernel updates addressing this vmalloc race condition
• Prioritize patching systems under memory pressure or with untrusted local users
• Review system logs for unusual vmalloc-related warnings that may indicate trigger attempts

Evidence notes

CVE description confirms concurrent invocation paths and missing serialization. Kernel git commits (ref-4, ref-5, ref-6) provide patch implementation. NVD status shows 'Awaiting Analysis' with no CVSS assigned.

Official resources