mm/hugetlb: fix hugetlb_pmd_shared()
Summary
| CVE | CVE-2026-23100 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-04 17:16:20 UTC |
| Updated | 2026-04-18 09:16:13 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared(). |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133 8ae48255bcb17b32436be97553dca848730d365f git | Not specified |
| CNA | Linux | Linux | affected 8410996eb6fea116fe1483ed977aacf580eee7b4 bf3c2affe245cf831866ddc8f736ae6a22cdc11c git | Not specified |
| CNA | Linux | Linux | affected 02333ac1c35370517a19a4a131332a9690c6a5c7 5b2aec77f92265a9028c5f632bdd9af5b57ec3a3 git | Not specified |
| CNA | Linux | Linux | affected 56b274473d6e7e7375f2d0a2b4aca11d67c6b52f 51dcf459845fd28f5a0d83d408a379b274ec5cc5 git | Not specified |
| CNA | Linux | Linux | affected 2e31443a0d18ae43b9d29e02bf0563f07772193d 3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e git | Not specified |
| CNA | Linux | Linux | affected 59d9094df3d79443937add8700b2ef1a866b1081 69c4e241ff13545d410a8b2a688c932182a858bf git | Not specified |
| CNA | Linux | Linux | affected 59d9094df3d79443937add8700b2ef1a866b1081 ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 git | Not specified |
| CNA | Linux | Linux | affected 6.13 | Not specified |
| CNA | Linux | Linux | unaffected 6.13 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.253 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.203 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.167 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.127 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.74 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.8 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5b2aec77f92265a9028c5f632bdd9af5b57ec3a3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/bf3c2affe245cf831866ddc8f736ae6a22cdc11c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/8ae48255bcb17b32436be97553dca848730d365f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.