PatchSiren cyber security CVE debrief
CVE-2026-46279 Linux CVE debrief
A vulnerability was found in the Linux kernel, specifically in the mm/alloc_tag component. The issue arises due to the initialization ordering of page_ext, which is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page_ext becomes available, leaving their codetag uninitialized. This can cause a warning to trigger when these pages are later reclaimed by KASAN and freed because their codetag reference is still empty. The fix involves using a global array to track pages allocated before page_ext is fully initialized.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of the Linux kernel who have CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled are affected by this vulnerability.
Technical summary
The vulnerability is caused by the initialization ordering of page_ext in the Linux kernel. The issue can be resolved by using a global array to track pages allocated before page_ext is fully initialized.
Defensive priority
Medium
Recommended defensive actions
- Update the Linux kernel to the latest version that includes the fix for this vulnerability.
- Enable CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and disable mem_profiling_compressed to prevent the warning from triggering.
Evidence notes
The CVE record for CVE-2026-46279 provides detailed information about the vulnerability, including its description, CVSS score, and references.
Official resources
-
CVE-2026-46279 CVE record
CVE.org
-
CVE-2026-46279 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
public