Improper Update of Reference Count in rv | CVE-2026-23380

Q: How to fix?

There is no fixed version for RHEL:10 rv .

Threat Intelligence

0.02% (5^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RHEL10-RV-15782321
published26 Mar 2026
disclosed25 Mar 2026

Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2026

NewCVE-2026-23380 (opens in a new tab) CWE-911 (opens in a new tab)

How to fix?

There is no fixed version for RHEL:10 rv.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rv package and not the rv package as distributed by RHEL. See How to fix? for RHEL:10 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix WARN_ON in tracing_buffers_mmap_close

When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON.

Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork.

Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.

References

CVSS Base Scores

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Privileges Required (PR)
Low
User Interaction (UI)
None

Scope (S)
Unchanged

Confidentiality (C)
None
Integrity (I)
None
Availability (A)
Low

Improper Update of Reference Count Affecting rv package, versions *

Severity