CVE-2026-23052: ftrace: Do not over-allocate ftrace memory
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Do not over-allocate ftrace memory
The pg_remaining calculation in ftrace_process_locs() assumes that
ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the
allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE
(integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g.
4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages)
have significantly more capacity than 256 * 170. This leads to pg_remaining
being underestimated, which in turn makes skip (derived from skipped -
pg_remaining) larger than expected, causing the WARN(skip != remaining)
to trigger.
Extra allocated pages for ftrace: 2 with 654 skipped
WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0
A similar problem in ftrace_allocate_records() can result in allocating
too many pages. This can trigger the second warning in
ftrace_process_locs().
Extra allocated pages for ftrace
WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580
Use the actual capacity of a page group to determine the number of pages
to allocate. Have ftrace_allocate_pages() return the number of allocated
pages to avoid having to calculate it. Use the actual page group capacity
when validating the number of unused pages due to skipped entries.
Drop the definition of ENTRIES_PER_PAGE since it is no longer used.
Security readout for executives and security teams
Plain-English summary
CVE-2026-23052 is a Linux kernel ftrace memory-accounting flaw. The kernel can over-allocate ftrace record pages and trigger boot-time or trace-initialization warnings. The provided sources do not show data theft, privilege escalation, remote attackability, or active exploitation.
Executive priority
Track through normal Linux kernel patch management unless vendor advisories raise severity. There is no source-backed evidence of active exploitation, remote compromise, or business-critical impact in the provided bundle.
Technical view
In ftrace_process_locs() and ftrace_allocate_records(), capacity was estimated from ENTRIES_PER_PAGE, which loses remainder space when PAGE_SIZE is not divisible by ENTRY_SIZE. High-order page groups then appear smaller than they are, causing incorrect skip/remaining calculations, extra page allocation, and WARN conditions.
Likely exposure
Exposure appears limited to Linux systems running affected kernel builds that include the vulnerable ftrace logic. The source bundle lists Linux kernel version markers including 6.15, 6.18.7, and 6.19, plus stable commit fixes. Distribution impact requires vendor confirmation.
Exploitation context
The sources describe a kernel correctness issue producing ftrace allocation warnings, not an attacker workflow. KEV is false, and no cited source states active exploitation or public exploit availability.
Researcher notes
The fix replaces ENTRIES_PER_PAGE-derived estimates with actual page-group capacity and returns allocated page counts from ftrace_allocate_pages(). Focus validation on affected kernel lineage and whether downstream vendors backported the stable commits.
Mitigation direction
Check the kernel vendor advisory for affected package ranges.
Update to a kernel containing the referenced stable fixes.
Prioritize systems using affected 6.15-era kernel lines.
Avoid assuming distro kernels are affected without vendor mapping.
Validation and detection
Inventory running kernel versions across Linux assets.
Compare distro kernel packages with vendor CVE advisories.
Review boot or kernel logs for ftrace WARN messages.
Confirm deployed kernels include the referenced stable commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2026-23052 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 4, 2026, 16:04 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.