Skip to content
/ kmsan Public

KernelMemorySanitizer, a detector of uses of uninitialized memory in the Linux kernel


Notifications You must be signed in to change notification settings


Repository files navigation

KMSAN (KernelMemorySanitizer)

KMSAN is a dynamic tool for detecting uninitialized memory accesses in the Linux kernel. It was integrated into the Linux kernel in version 6.1. KMSAN works by instrumenting the kernel code at compile time and checking for accesses to uninitialized memory at run time.

Contact: @ramosian-glider


  • Linux 6.1+ contains a fully-working KMSAN implementation which can be used out of the box.
  • Forked kernel branches with KMSAN patches are available at These will be kept around for posterity. Branches after 6.1 are still used for development.

How to build

export WORLD=`pwd`

In order to build a kernel with KMSAN you'll need a fresh Clang. Please refer to and for the instructions on how to build Clang. Otherwise, consider using prebuilt compiler binaries from the Chromium project:

# Instruction taken from
git clone
cd ..
export KMSAN_CLANG_PATH=`pwd`/third_party/llvm-build/Release+Asserts/bin/

Configure and build the kernel

git clone kmsan
cd kmsan
# Now configure the kernel. You basically need to enable CONFIG_KMSAN and CONFIG_KCOV,
# plus maybe some 9P options to interact with QEMU.
cp .config.example .config
make CC=$KMSAN_CLANG_PATH -j64 -k 2>&1 | tee build.log

Run the kernel

You can refer to for the instructions on running the freshly built kernel in a QEMU VM. Also consider running a KMSAN-instrumented kernel under syzkaller.


There is an outdated list of trophies at Most of the bugs found with KMSAN can be seen at (search for KMSAN).

How does it work?

Please refer to the Documentation in the upstream Linux kernel.

In a talk at FaMAF-UNC, I attempted to provide a comprehensive overview of the implementation details of KMSAN in 2021. The kernel part starts at 19:30, listen at 1.25x to save time).