CVE-2026-46279

Source
https://cve.org/CVERecord?id=CVE-2026-46279
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46279.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46279
Downstream
Related
Published
2026-06-08T15:41:21.972Z
Modified
2026-06-18T03:57:27.687551310Z
Summary
mm/alloc_tag: clear codetag for pages allocated before page_ext initialization
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/alloctag: clear codetag for pages allocated before pageext initialization

Due to initialization ordering, pageext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before pageext becomes available, leaving their codetag uninitialized.

A clear example is in initsectionpageext(): allocpageext() calls kmemleakalloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page_ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty.

Use a global array to track pages allocated before pageext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When pageext initialization completes, set their codetag to empty to avoid warnings when they are freed later.

This warning is only observed with CONFIGMEMALLOCPROFILINGDEBUG=Y and memprofilingcompressed disabled:

[ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloctag was not set [ 9.582139] WARNING: ./include/linux/alloctag.h:164 at __pgalloctagsub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010:__pgalloctagpgalloctagsub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] <TASK> [ 9.582214] ? pfxgalloc_tagsub+0x10/0x10 [ 9.582216] ? checkbytesandreport+0x68/0x140 [ 9.582219] __freefrozenpages+0x2e4/0x1150 [ 9.582221] ? __freeslab+0xc2/0x2b0 [ 9.582224] qlistfreeall+0x4c/0xf0 [ 9.582227] kasanquarantine_reduce+0x15d/0x180 [ 9.582229] __kasanslaballoc+0x69/0x90 [ 9.582232] kmemcacheallocnoprof+0x14a/0x500 [ 9.582234] dogetname+0x96/0x310 [ 9.582237] do_readlinkat+0x91/0x2f0 [ 9.582239] ? __pfxdoreadlinkat+0x10/0x10 [ 9.582240] ? getrandombytes_user+0x1df/0x2c0 [ 9.582244] __x64sysreadlinkat+0x96/0x100 [ 9.582246] dosyscall64+0xce/0x650 [ 9.582250] ? __x64sysx64sysgetrandom+0x13a/0x1e0 [ 9.582252] ? pfx64sysgetrandom+0x10/0x10 [ 9.582254] ? dosyscall64+0x114/0x650 [ 9.582255] ? ksys_read+0xfc/0x1d0 [ 9.582258] ? __pfxksysread+0x10/0x10 [ 9.582260] ? dosyscall64+0x114/0x650 [ 9.582262] ? dosyscall64+0x114/0x650 [ 9.582264] ? __pfxfputclosesync+0x10/0x10 [ 9.582266] ? fileclosefdlocked+0x178/0x2a0 [ 9.582268] ? __x64sysfaccessat2+0x96/0x100 [ 9.582269] ? __x64sysclose+0x7d/0xd0 [ 9.582271] ? dosyscall64+0x114/0x650 [ 9.582273] ? dosyscall64+0x114/0x650 [ 9.582275] ? clearbhbloop+0x50/0xa0 [ 9.582277] ? clearbhbl ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46279.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dcfe378c81f72f146890ce1dcfdcc742d3b66924
Fixed
d5b495ba9de0423ef39f8bd86729a885870c7efe
Fixed
b49dfabc38cad5e50af24f63edd124a10de3ebb6
Fixed
6b1842775a460245e97d36d3a67d0cfba7c4ff79

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46279.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46279.json"