HIGH 7.8

CVE-2026-46279: Linux Kernel Memory Allocation Tracking Bug

CVE-2026-46279 is a memory management bug in the Linux kernel where pages allocated very early in the boot process—before the page tracking system is fully ready—end up without proper metadata. When these pages are later freed by KASAN (a memory safety tool), the kernel throws a warning because it can't find the tracking information. While this is primarily a diagnostic issue triggered under specific debugging configurations, it indicates a real ordering problem during kernel initialization that needs correction to maintain system stability and prevent potential memory tracking corruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-415
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mm/alloc_tag: clear codetag for pages allocated before page_ext initialization Due to initialization ordering, page_ext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page_ext becomes available, leaving their codetag uninitialized. A clear example is in init_section_page_ext(): alloc_page_ext() calls kmemleak_alloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page_ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty. Use a global array to track pages allocated before page_ext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When page_ext initialization completes, set their codetag to empty to avoid warnings when they are freed later. This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled: [ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloc_tag was not set [ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] <TASK> [ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10 [ 9.582216] ? check_bytes_and_report+0x68/0x140 [ 9.582219] __free_frozen_pages+0x2e4/0x1150 [ 9.582221] ? __free_slab+0xc2/0x2b0 [ 9.582224] qlist_free_all+0x4c/0xf0 [ 9.582227] kasan_quarantine_reduce+0x15d/0x180 [ 9.582229] __kasan_slab_alloc+0x69/0x90 [ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500 [ 9.582234] do_getname+0x96/0x310 [ 9.582237] do_readlinkat+0x91/0x2f0 [ 9.582239] ? __pfx_do_readlinkat+0x10/0x10 [ 9.582240] ? get_random_bytes_user+0x1df/0x2c0 [ 9.582244] __x64_sys_readlinkat+0x96/0x100 [ 9.582246] do_syscall_64+0xce/0x650 [ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0 [ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10 [ 9.582254] ? do_syscall_64+0x114/0x650 [ 9.582255] ? ksys_read+0xfc/0x1d0 [ 9.582258] ? __pfx_ksys_read+0x10/0x10 [ 9.582260] ? do_syscall_64+0x114/0x650 [ 9.582262] ? do_syscall_64+0x114/0x650 [ 9.582264] ? __pfx_fput_close_sync+0x10/0x10 [ 9.582266] ? file_close_fd_locked+0x178/0x2a0 [ 9.582268] ? __x64_sys_faccessat2+0x96/0x100 [ 9.582269] ? __x64_sys_close+0x7d/0xd0 [ 9.582271] ? do_syscall_64+0x114/0x650 [ 9.582273] ? do_syscall_64+0x114/0x650 [ 9.582275] ? clear_bhb_loop+0x50/0xa0 [ 9.582277] ? clear_bhb_l ---truncated---

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from initialization-order dependencies in the Linux memory allocation profiling subsystem. The page_ext framework, which maintains per-page metadata including allocation tags (codetags), initializes relatively late during kernel boot. However, certain allocations—notably those triggered within init_section_page_ext() when kmemleak_alloc() falls back to the buddy allocator—occur before page_ext is fully initialized. These early-allocated pages lack associated codetags. Later, when KASAN reclaims and frees these pages, the __pgalloc_tag_sub() function detects a missing codetag reference and triggers a warning. The issue manifests only when CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and memory profiling compression is disabled. The fix implements a fixed-size global array (8192 entries) to track pages allocated before page_ext initialization completes, ensuring they receive empty codetag markers upon initialization completion to prevent warnings during subsequent deallocation.

Business impact

For production systems, this vulnerability poses a moderate risk. Systems running standard Linux kernels without memory profiling debugging enabled will not trigger the warning and are unaffected. However, organizations using kernel builds with CONFIG_MEM_ALLOC_PROFILING_DEBUG enabled—common in development, testing, and hardened security environments—may experience unexpected kernel warnings that could be misinterpreted as memory corruption, triggering false alarms or unnecessary system restarts. The vulnerability could complicate debugging efforts and undermine confidence in memory safety tooling. In worst-case scenarios where the tracking corruption propagates, undetected memory leaks or double-frees could occur.

Affected systems

The Linux kernel is affected. The vulnerability requires CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled to manifest. Systems running standard kernel configurations are unaffected; impact is limited to development kernels, testing environments, and specialized hardened deployments that explicitly enable memory allocation profiling debugging. The architecture appears platform-independent, though the stack trace references x86_64 systems.

Exploitability

This vulnerability is not directly exploitable by unprivileged users. The condition (CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y with profiling compression disabled) is a compile-time configuration unlikely to appear in production kernels. The warning triggers during specific boot-time memory allocation patterns and requires the KASAN allocator to reclaim pages. An attacker with kernel-module loading privileges might artificially trigger the condition, but the impact is limited to denial-of-service through kernel warnings rather than code execution or privilege escalation.

Remediation

Apply a kernel update that includes the fix for CVE-2026-46279. The patch modifies the page_ext initialization sequence to track early-allocated pages in a global array and retroactively assign empty codetags upon initialization completion. Organizations should verify the specific kernel version containing this fix against their vendor advisory. For systems running standard kernels without CONFIG_MEM_ALLOC_PROFILING_DEBUG enabled, no immediate action is required. For affected development and testing environments, patching should be prioritized to restore reliable memory profiling diagnostics.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates addressing CVE-2026-46279. The fix is upstream in the Linux kernel; verify the specific version your distribution backports it to. If running a custom-built kernel with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y, rebuild with the patched source. Test patched kernels in non-production environments first, particularly if memory profiling or KASAN is critical to your security posture. The fix itself is minimal and low-risk, introducing only a fixed-size array allocation during boot.

Detection guidance

Monitor kernel logs for the warning 'alloc_tag was not set' appearing in dmesg or system logs, particularly during boot on systems with CONFIG_MEM_ALLOC_PROFILING_DEBUG enabled. The warning signature includes __pgalloc_tag_sub() in the stack trace. Security teams using KASAN or memory profiling tools should audit their kernel build configurations to identify which systems have the debug setting enabled. Use 'grep CONFIG_MEM_ALLOC_PROFILING_DEBUG /boot/config-$(uname -r)' to verify your running kernel's configuration. If warnings appear repeatedly, check if your kernel version precedes the fix.

Why prioritize this

Prioritize patching for systems with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y, as the warning indicates a real metadata corruption that could mask genuine memory safety issues. However, standard production kernels require no immediate action. The HIGH CVSS score reflects the local privilege requirement and impact on memory integrity; in practice, exploitability is low. Prioritize based on your environment: critical for development/testing kernels using memory profiling, low urgency for standard production deployments.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). However, this score is somewhat inflated by the debugging-focused nature of the vulnerability. The actual risk depends entirely on kernel configuration: with default configs, risk is negligible; with CONFIG_MEM_ALLOC_PROFILING_DEBUG, the high score appropriately reflects potential for undetected memory safety violations that could cascade into privilege escalation or data corruption.

Frequently asked questions

Do standard Linux systems need to patch this immediately?

No. Standard production kernels compiled without CONFIG_MEM_ALLOC_PROFILING_DEBUG enabled are unaffected. This vulnerability requires a specific compile-time debugging configuration to manifest. Only organizations using development kernels, custom hardened builds, or testing environments with memory profiling debugging should prioritize this patch.

What does the warning 'alloc_tag was not set' actually indicate?

It indicates that the kernel's memory allocation tracking system (codetag/page_ext) is missing metadata for a page being freed. In this CVE, it's a false alarm caused by initialization ordering—pages allocated during early boot before page_ext was ready. However, such warnings elsewhere could indicate genuine memory corruption, so the fix is important for reliable diagnostics.

Can this vulnerability be exploited for privilege escalation or code execution?

Unlikely in practical scenarios. The vulnerability is a metadata tracking bug triggered during boot under specific debug configurations. While undetected memory corruption could theoretically enable attacks, the conditions are narrow and triggering exploitation would require kernel module access. The primary risk is denial-of-service via false alarms and potential masking of real memory issues.

How do I know if my kernel is affected?

Run 'grep CONFIG_MEM_ALLOC_PROFILING_DEBUG /boot/config-$(uname -r)' on your system. If the output is 'CONFIG_MEM_ALLOC_PROFILING_DEBUG=y', you are potentially affected. Check your kernel version against the patched versions from your Linux distribution's advisory. If you see 'alloc_tag was not set' warnings in dmesg, your system is definitely experiencing this issue.

This analysis is provided for informational purposes based on available vulnerability data. CVSS scores, affected versions, patch availability, and timeline information derive from the CVE record and related advisories; verify against your vendor's official security bulletins before deploying patches. Memory profiling and KASAN behavior varies across kernel configurations and distributions. This vulnerability does not guarantee exploitability in all environments; prioritization should account for your specific kernel configuration and threat model. Always test patches in non-production environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for its use. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).