CVE-2026-23416: mm/mseal Stale curr_end After VMA Merge - Discovery & PoC

by: Antonius
Country: Indonesia
https://www.bluedragonsec.com — https://github.com/bluedragonsecurity

I discovered a vulnerability in linux kernel mseal subsystem affecting linux kernel 6.17- linux kernel 7.0 rc5.

Here’s the poc :

https://github.com/bluedragonsecurity/CVE-2026-23416-POC

SUMMARY

An invariant violation (VM_WARN_ON_VMG) fires at mm/vma.c:830 inside vma_merge_existing_range() when mseal(2) is called with a range spanning two adjacent VMAs where one has VM_SEALED set and the other does not.

CALL PATH

mseal(2) -> do_mseal() [mm/mseal.c] -> mseal_apply() -> vma_modify_flags() [mm/vma.c] -> vma_modify() -> vma_merge_existing_range() -> VM_WARN_ON_VMG fires at line 830

FAILING ASSERTION

VM_WARN_ON_VMG(middle && ((middle != prev && vmg->start != middle->vm_start) || vmg->end > middle->vm_end))

vmg->start = 0x21da8000 (original mseal start, not clamped) middle->vm_start = 0x21de6000 (VMA-B, not sealed) -> vmg->start != middle->vm_start -> WARN fires

ROOT CAUSE

do_mseal() calls vma_modify_flags() with the original mseal() start address without clamping it to the current VMA’s vm_start when the mseal range spans two VMAs with different VM_SEALED states. This causes vma_merge_existing_range() to receive an inconsistent vmg state.

SECURITY RELEVANCE

  1. Reachable from unprivileged userspace (UID 1000, no CAP_* needed, only memfd_create + mmap + mseal syscalls).
  2. mseal(2) is a security primitive protecting VMA immutability. An invariant violation in its application logic means VM_SEALED may be applied incorrectly when spanning VMAs with mixed seal states, potentially undermining the security guarantee mseal provides.
  3. In production kernels (non-debug, WARN compiled to no-op), the inconsistent vmg state proceeds silently — the VMA tree could be left with incorrect seal state without any visible error.

REFERENCES

Common vulnerabilities and Exposures (CVE)

Edit description

www.cve.org

ABOUT

Who is Antonius (w1sdom)?

This is the personal web of Antonius Wisdom, a security researcher based in Indonesia. I do low level vulnerability research & hardware hacking.

Nicknames : w1sdom, sw0rdm4n, ringlayer, robotsoft, bluedragonsec, ev1lut10n

Low-Level Vulnerability Research | Hardware Hacking | Robotics | Indonesia | Polymath


Curriculum Vitae




Hobbies

music (fingerstyle guitar & keyboard)
martial art (muay thai, tae kwon do, boxing, bjj).

Music Channel
Martial Art Channel

Skills & Expertise
Vulnerability Research Static Source Code Analysis Kernel Exploitation Userland Exploitation Heap Exploitation Stack Exploitation Fuzzing Hardware Hacking Network Security Reverse Engineering Modern Mitigation Bypass Deep Learning Mechatronics Electronics Robotics Tactical Hacking Device Development Mathematics Machine Learning

Documentations
Github

Now Playing: ...