LiveActive security incident?Get immediate response
CVE Record

CVE-2026-23052: ftrace: Do not over-allocate ftrace memory

In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. 4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) have significantly more capacity than 256 * 170. This leads to pg_remaining being underestimated, which in turn makes skip (derived from skipped - pg_remaining) larger than expected, causing the WARN(skip != remaining) to trigger. Extra allocated pages for ftrace: 2 with 654 skipped WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0 A similar problem in ftrace_allocate_records() can result in allocating too many pages. This can trigger the second warning in ftrace_process_locs(). Extra allocated pages for ftrace WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580 Use the actual capacity of a page group to determine the number of pages to allocate. Have ftrace_allocate_pages() return the number of allocated pages to avoid having to calculate it. Use the actual page group capacity when validating the number of unused pages due to skipped entries. Drop the definition of ENTRIES_PER_PAGE since it is no longer used.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2026-23052 is a Linux kernel ftrace memory-accounting flaw. The kernel can over-allocate ftrace record pages and trigger boot-time or trace-initialization warnings. The provided sources do not show data theft, privilege escalation, remote attackability, or active exploitation.

Executive priority

Track through normal Linux kernel patch management unless vendor advisories raise severity. There is no source-backed evidence of active exploitation, remote compromise, or business-critical impact in the provided bundle.

Technical view

In ftrace_process_locs() and ftrace_allocate_records(), capacity was estimated from ENTRIES_PER_PAGE, which loses remainder space when PAGE_SIZE is not divisible by ENTRY_SIZE. High-order page groups then appear smaller than they are, causing incorrect skip/remaining calculations, extra page allocation, and WARN conditions.

Likely exposure

Exposure appears limited to Linux systems running affected kernel builds that include the vulnerable ftrace logic. The source bundle lists Linux kernel version markers including 6.15, 6.18.7, and 6.19, plus stable commit fixes. Distribution impact requires vendor confirmation.

Exploitation context

The sources describe a kernel correctness issue producing ftrace allocation warnings, not an attacker workflow. KEV is false, and no cited source states active exploitation or public exploit availability.

Researcher notes

The fix replaces ENTRIES_PER_PAGE-derived estimates with actual page-group capacity and returns allocated page counts from ftrace_allocate_pages(). Focus validation on affected kernel lineage and whether downstream vendors backported the stable commits.

Mitigation direction

  • Check the kernel vendor advisory for affected package ranges.
  • Update to a kernel containing the referenced stable fixes.
  • Prioritize systems using affected 6.15-era kernel lines.
  • Avoid assuming distro kernels are affected without vendor mapping.

Validation and detection

  • Inventory running kernel versions across Linux assets.
  • Compare distro kernel packages with vendor CVE advisories.
  • Review boot or kernel logs for ftrace WARN messages.
  • Confirm deployed kernels include the referenced stable commits.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2026-23052 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxdc06779d338de4e5a46166a93ec124222e09f40a, 2a6ce8bddd8aafa61aaa705e76eae810f22429be, 4a3efc6baff931da9a85c6d2e42c87bd9a827399, 4a3efc6baff931da9a85c6d2e42c87bd9a827399unaffected
LinuxLinux6.15, 0, 6.18.7, 6.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.