In the Linux kernel, the following vulnerability has been resolved:
mm/pagealloc: return NULL early from allocfrozenpagesnolock() in NMI on UP
On UP kernels (!CONFIGSMP), spintrylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, allocfrozenpages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists.
With CONFIGDEBUGSPINLOCK on UP, the following BUG is triggered with the slub_kunit test module:
BUG: spinlock trylock failure on UP on CPU#0, kunittrycatch/243 [...] Call Trace: <NMI> dumpstacklvl+0x3f/0x60 dorawspintrylock+0x41/0x50 rawspintrylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 getpagefromfreelist+0xeb/0x450 allocfrozenpagesnolocknoprof+0x111/0x1e0 allocateslab+0x42a/0x500 __slaballoc+0xa7/0x4c0 kmallocnolocknoprof+0x164/0x310 [...] </NMI>
Fix this by returning NULL early when invoked from NMI on a UP kernel.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46035.json"
}