CVE-2026-23056
uacce: implement mremap in uacce_vm_ops to return -EPERM
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
04 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In the Linux kernel, the following vulnerability has been resolved:
uacce: implement mremap in uacce_vm_ops to return -EPERM
The current uacce_vm_ops does not support the mremap operation of
vm_operations_struct. Implement .mremap to return -EPERM to remind
users.
The reason we need to explicitly disable mremap is that when the
driver does not implement .mremap, it uses the default mremap
method. This could lead to a risk scenario:
An application might first mmap address p1, then mremap to p2,
followed by munmap(p1), and finally munmap(p2). Since the default
mremap copies the original vma's vm_private_data (i.e., q) to the
new vma, both munmap operations would trigger vma_close, causing
q->qfr to be freed twice(qfr will be set to null here, so repeated
release is ok).
Affected products
Linux · LinuxReferences
https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06fhttps://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686eehttps://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6