CVE-2026-43303
mm/page_alloc: clear page->private in free_pages_prepare()
Published:
5/8/2026
Last updated:
6/19/2026
Reserved:
5/1/2026
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: clear page->private in free_pages_prepare()
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
CNA assigner:
Linux (416baaa9-dc9f-4396-8d5f-8c081fb06d67)
Requested by:
n/a
Products affected (4)
| Product |
Vendor |
Version |
| Linux |
Linux
|
10 Version 1803 for ARM64-based Systems
|
| Linux |
Linux
|
10 Version 1809 for 32-bit Systems
|
| Linux |
Linux
|
173.0.0.29.505
|
| Linux |
Linux
|
< 33.9.1
|