A serious availability vulnerability in the Linux kernel surfaced publicly on May 8, 2026, when the National Vulnerability Database published CVE-2026-43292. The advisory describes a flaw in the Kernel Address Sanitizer (KASAN) subsystem that could trigger Read-Copy-Update (RCU) stalls during vmalloc cleanup, potentially rendering affected systems unresponsive. At the heart of the issue lies the kasan_release_vmalloc_node function, which in certain configurations monopolized CPU time, preventing RCU grace periods from completing and eventually leading to soft lockups or outright system hangs.

The vulnerability is not a remote code execution risk—no attacker can exploit it to gain control—but its impact on availability is severe. Servers, virtualized environments, and any Linux system with KASAN enabled (whether for debugging or production hardening) and heavy vmalloc usage could lock up under sustained memory pressure. The fix, initially submitted to the Linux kernel mailing list and later merged into mainline, breaks up the problematic cleanup work into smaller, preemptible chunks, respecting RCU latency requirements.

Understanding KASAN and vmalloc

KASAN, the Kernel Address Sanitizer, is a dynamic memory error detector built into the kernel. Originally ported from user-space AddressSanitizer, it identifies out-of-bounds accesses and use-after-free bugs in kernel code. When a kernel allocates or frees memory via vmalloc—a mechanism that reserves large, virtually contiguous memory regions—KASAN inserts redzones and shadow memory tracking to detect overruns.

The kasan_release_vmalloc_node function cleans up KASAN shadow memory when a vmalloc area is freed. Under normal conditions, this cleanup is fast. But when a system has many concurrent vmalloc operations or large shadow maps, the function could run for an extended period without yielding the CPU. That’s where RCU enters the picture.

RCU Stalls Explained

RCU is a synchronization mechanism that protects shared data structures across many kernel subsystems. It lets multiple readers access data without locks while ensuring that writers wait until all pre-existing readers have finished. A fundamental principle is that RCU grace periods must not be indefinitely delayed; if a CPU runs for too long without passing through a quiescent state—typically a context switch or idle point—a “RCU stall” warning fires, and the system can stop scheduling tasks on that CPU, leading to a soft lockup.

RCU stalls often manifest as kernel warnings printed to the console, followed by hung task timeouts and a completely frozen node. In CVE-2026-43292, the root cause was kasan_release_vmalloc_node looping over large amounts of shadow memory without any voluntary preemption points. If the function ran for more than the RCU stall timeout (commonly 60 seconds), the kernel would detect the stall and may eventually trigger a panic if panic_on_rcu_stall is set.

The Technical Flaw

According to the kernel patch discussion, the problematic code was a tight loop iterating over KASAN shadow pages for the vmalloc region being freed. For each page, it would clear metadata and free backing stores. On systems with terabytes of vmalloc space—common in large-memory servers or when kernel modules create huge virtual mappings—the loop could touch millions of pages. Because KASAN instrumentation itself adds overhead, and because the loop was executed in an atomic context (preemption disabled), the CPU became a bottleneck.

Specifically, the calling path was: __vunmap()remove_vm_area()kasan_release_vmalloc_node(). The last function would call kasan_poison_vmalloc for each allocated shadow page, and in the buggy implementation, all those pages were processed in one go. The fix restructured the code to periodically release the CPU and check whether a reschedule is needed, using cond_resched() calls and batching the work into smaller groups.

Scope of Affected Systems

CVE-2026-43292 primarily affects kernels where CONFIG_KASAN_VMALLOC is enabled. This configuration option is not set by default in most distribution kernels; it is commonly turned on in custom debugging builds, security-focused kernels (e.g., Android’s experimental branches, some hardened kernels), and when developers want additional validation of vmalloc usage. However, the vulnerability can also surface on production systems that run with full KASAN instrumentation, such as those used by large-scale operators who prioritize bug detection over minimal overhead.

The problem is more acute on multi-node NUMA machines, where vmalloc areas are frequently allocated and freed across nodes. The NVD severity score, expected to be in the medium range (around 5–6 out of 10), reflects the local, availability-only impact and the uncommon default configuration. Still, for environments that fit the profile, the risk of unplanned downtime is high.

Triggering the Vulnerability

An unprivileged local user can trigger the RCU stall by forcing rapid vmalloc allocation and deallocation cycles. For instance, repeatedly loading and unloading a kernel module that uses vmalloc, or using user-space interfaces that map large buffers via vmalloc (such as certain frame buffer drivers or the vmalloc parameter of char devices), can exhaust the cleanup’s CPU time. A simple stress test involving insmod/rmmod in a tight loop on a compromised or heavily utilized system could be enough to hang the kernel.

No special permissions are required beyond the ability to allocate and free vmalloc memory, which is allowed for most processes. The attack vector is real for containerized environments where a container breakout could leverage the stall to disrupt the host, though direct code execution remains impossible.

The Fix: Chunked Cleanup

The official kernel patch, authored by a long-time KASAN maintainer, introduces a batched approach in kasan_release_vmalloc_node. Instead of processing the entire shadow page table in one pass, the function now processes up to 256 pages at a time, then calls cond_resched() to allow the scheduler to switch to other tasks. This lets RCU complete grace periods normally.

Additionally, the patch adds a might_sleep() check to ensure the function is never called from truly non-sleepable contexts, and clarifies in the code comments why the batching is necessary. The commit message explicitly references the RCU stall warnings observed during fuzzing and on production systems, linking to the reported stack traces.

Mitigation and Recommendations

There is no practical workaround that does not involve either disabling KASAN for vmalloc or patching the kernel. System administrators monitoring dmesg for RCU stall warnings are advised to check for stacks containing kasan_release_vmalloc_node and immediately apply the fix if seen.

Longer term, the Linux kernel community is discussing further hardening to prevent any function that runs in atomic context from doing indeterminate amounts of work. While RCU stall detection already exists, the incident highlights that sanitizer code—often assumed to be “debug only”—can have unexpected interactions with kernel scheduling guarantees. The fix is already in Linus Torvalds’ tree and is expected to be backported to stable kernels (e.g., 5.15.y, 6.1.y, 6.6.y) by June 2026.

Users who compile their own kernels should ensure they update to a commit containing the change or apply the patch manually. Distro vendors typically pick up such fixes within days of the CVE publication, so CI/CD pipelines that rebuild immutable images should be triggered.

The Bigger Picture

CVE-2026-43292 is another reminder that runtime hardening tools sometimes introduce new attack surface or availability pitfalls. KASAN itself has been instrumental in catching thousands of memory bugs, but its instrumentation overhead can distort timing assumptions in the kernel. The maintainers have balanced this by adding cond_resched() at strategic points, and future KASAN releases may include an automatic rescheduling layer for long-running cleanup operations.

For security engineers, this vulnerability underscores the need to test kernel builds with the exact sanitizer configuration deployed in production, under realistic workloads. Unit tests that stress memory allocation paths can reveal similar stalls before adversaries do.

What’s Next

As the Linux ecosystem continues to integrate advanced sanitizers (KMSAN, KCSAN, etc.), the same class of problems—unbounded loops in analysis code—will need careful review. The kernel’s RCU subsystem is exceptionally sensitive to long-running atomic sections, and any new instrumentation that touches hot paths must be designed with preemption in mind. CVE-2026-43292 provides a concrete case study for kernel maintainers working on future sanitizer integrations.

In the immediate term, patching is straightforward. The fix is small, self-contained, and already passing regression tests. Organizations running sensitive workloads on KASAN-instrumented kernels should prioritize this update to avoid outages that could be easily mistaken for hardware failures or memory corruption.