Memory Management Bugs (Kernel)

A catalog of notable Linux kernel memory management bugs, vulnerabilities, and edge cases

This index covers bugs in the Linux kernel's mm/ subsystem - security vulnerabilities, data corruption, performance regressions, and stability issues. These are real kernel bugs we analyze for educational purposes.

Quick Reference

By Severity

Severity	Count	Examples
Critical (CVE, exploit)	15+	Dirty COW, Meltdown, SLUB exploits
Data corruption	5+	Large folio data loss, swap ABA
Deadlock/hang	5+	mmap_sem deadlock, OOM livelock
Performance	5+	Thrashing, readahead traps

By Year

Year	Notable Bugs
2024	Swap slot ABA (CVE-2024-26759)
2023	StackRot (CVE-2023-3269), Large folio data loss, glibc heap overflow (CVE-2023-6246)
2022	io_uring UAF (CVE-2022-29582), systemd cgroup massacre
2021	Netfilter heap OOB (CVE-2021-22555)
2020	THP COW race (CVE-2020-29368)
2018	mremap TLB race (CVE-2018-18281), Spectre variants
2017	Meltdown (CVE-2017-5754), Spectre (CVE-2017-5753/5715), Stack Clash
2016	Dirty COW (CVE-2016-5195)

Detailed Bug Documentation

Subsystem Bug Sections

Detailed analysis of bugs in specific subsystems (located within each topic's documentation):

Document	Subsystem	Key Bugs
SLUB Allocator Bugs	mm/slub.c	CVE-2021-22555, CVE-2022-29582, heap exploitation
THP Bugs	mm/huge_memory.c	CVE-2020-29368, khugepaged races, collapse bugs
Page Table Bugs	arch/*/mm/	Meltdown, Spectre, TLB flush races

Lifecycle Document Bug Sections

The lifecycle docs contain narrative bug coverage as part of their end-to-end walkthroughs:

Document	Section	Key Bugs
fork.md	COW & fork bugs	Dirty COW (CVE-2016-5195), StackRot (CVE-2023-3269), mremap (CVE-2004-0077)
oom.md	OOM killer bugs	mmap_sem deadlock, thrashing livelock, CVE-2012-4398
life-of-malloc.md	Heap & allocation bugs	glibc CVE-2023-6246, Stack Clash, mmap_min_addr bypass
life-of-page.md	Page lifecycle bugs	Refcount overflow, large folio data loss, LRU corruption
life-of-read.md	Page cache bugs	filemap_fault races, 9p corruption, readahead issues
swapping.md	Swap bugs	Swap slot ABA (CVE-2024-26759), zswap races

Bug Categories

Security Vulnerabilities (CVEs)

Bugs with assigned CVEs, typically exploitable for privilege escalation or information disclosure.

CVE	Name	Subsystem	Type	Details
CVE-2024-26759	Swap slot ABA	swap	Race/corruption	swapping.md
CVE-2023-3269	StackRot	maple tree	UAF	fork.md
CVE-2023-6246	glibc syslog	glibc heap	Overflow	life-of-malloc.md
CVE-2022-29582	io_uring UAF	io_uring/slub	UAF	slab.md
CVE-2021-22555	Netfilter heap OOB	netfilter/slub	Heap OOB	slab.md
CVE-2020-29368	THP COW race	thp	Race	thp.md
CVE-2018-18281	mremap TLB race	mremap	TLB race	fork.md
CVE-2017-5754	Meltdown	CPU/page tables	Side channel	page-tables.md
CVE-2017-5753	Spectre v1	CPU	Side channel	page-tables.md
CVE-2017-5715	Spectre v2	CPU	Side channel	page-tables.md
CVE-2016-5195	Dirty COW	COW	Race	fork.md
CVE-2012-4398	OOM deadlock	OOM	Deadlock	oom.md
CVE-2009-2695	mmap_min_addr bypass	mmap	Logic	life-of-malloc.md
CVE-2004-0077	mremap disaster	mremap	Logic	fork.md

Data Corruption Bugs

Bugs causing silent data loss or corruption without security implications.

Bug	Year	Subsystem	Details
Large folio data loss	2023	writeback/folio	life-of-page.md
Swap slot ABA	2024	swap	swapping.md
9p read corruption	2025	9p/netfs	life-of-read.md
zswap races	Ongoing	zswap	swapping.md

Deadlock & Hang Bugs

Bugs causing system hangs or unrecoverable states.

Bug	Year	Subsystem	Details
mmap_sem deadlock	2010-2016	OOM	oom.md
Swap-over-NFS deadlock	Historical	swap/NFS	swapping.md

Performance Bugs

Bugs causing severe performance degradation.

Bug	Year	Subsystem	Details
Thrashing livelock	2010+	reclaim	oom.md
Readahead trap	Ongoing	readahead	swapping.md
khugepaged CPU	Ongoing	thp	thp.md

Exploitation Techniques

Common techniques used to exploit mm bugs:

Heap Exploitation (SLUB)

Technique	Description	Used In
Heap spray	Fill heap with controlled objects	CVE-2021-22555
Cross-cache attack	Exploit objects across different caches	CVE-2022-29582
Freelist corruption	Overwrite SLUB freelist pointers	Many heap overflows
msg_msg abuse	Use msgsnd() for heap layout control	CVE-2021-22555

Race Conditions

Technique	Description	Used In
userfaultfd	Pause kernel at precise moments	Dirty COW variants
FUSE	Control page fault timing via filesystem	Various exploits
CPU pinning	Control which CPU runs exploit code	Race window expansion

Side Channels

Technique	Description	Used In
Flush+Reload	Measure cache timing	Meltdown, Spectre
Prime+Probe	Fill cache, measure evictions	Spectre variants

Hardening & Mitigations

Kernel Config Options

Option	Protects Against	Performance Impact
`CONFIG_SLAB_FREELIST_RANDOM`	Heap layout prediction	Minimal
`CONFIG_SLAB_FREELIST_HARDENED`	Freelist pointer corruption	Minimal
`CONFIG_INIT_ON_ALLOC_DEFAULT_ON`	Info leaks via uninitialized memory	Low
`CONFIG_INIT_ON_FREE_DEFAULT_ON`	UAF info leaks	Low
`CONFIG_PAGE_TABLE_ISOLATION`	Meltdown	1-5%
`CONFIG_RETPOLINE`	Spectre v2	Variable

Runtime Tunables

# Restrict userfaultfd (reduces race exploit surface)
echo 0 > /proc/sys/vm/unprivileged_userfaultfd

# Restrict kernel pointer exposure
echo 2 > /proc/sys/kernel/kptr_restrict

# Enable KFENCE sampling
echo 100 > /sys/module/kfence/parameters/sample_interval

External Resources

Research & Write-ups

Google Project Zero - Kernel vulnerability research
xairy/linux-kernel-exploitation - Comprehensive link collection
how2heap - Heap exploitation techniques

Disclosure Lists

oss-security - Public vulnerability disclosures
LKML security - Kernel security discussions

Contributing

Found a bug not listed here? Contributions welcome:

Add to the appropriate subsystem file in bugs/
Include: CVE (if assigned), fix commit, root cause analysis
Link from this index