Linux Kernel: Fixed WARN_ON in trace_buffers_mmap_close on fork
CVE-2026-23380 Published on March 25, 2026
tracing: Fix WARN_ON in tracing_buffers_mmap_close
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix WARN_ON in tracing_buffers_mmap_close
When a process forks, the child process copies the parent's VMAs but the
user_mapped reference count is not incremented. As a result, when both the
parent and child processes exit, tracing_buffers_mmap_close() is called
twice. On the second call, user_mapped is already 0, causing the function to
return -ENODEV and triggering a WARN_ON.
Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.
But this is only a hint, and the application can call
madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the
application does that, it can trigger this issue on fork.
Fix it by incrementing the user_mapped reference count without re-mapping
the pages in the VMA's open callback.
Products Associated with CVE-2026-23380
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 and below 91f3e8d84c89918769e71393f839c9fefadc2580 is affected.
- Version cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 and below cdd96641b64297a2db42676f051362b76280a58b is affected.
- Version cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 and below b0f269ba6fefe9e3cb9feedcf78fcd0b633800c0 is affected.
- Version cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 and below e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e is affected.
- Version 6.10 is affected.
- Before 6.10 is unaffected.
- Version 6.12.77, <= 6.12.* is unaffected.
- Version 6.18.17, <= 6.18.* is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc3, <= * is unaffected.