arm64: Reserve an extra page for early kernel mapping

Summary

CVE	CVE-2026-53288
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-26 20:17:21 UTC
Updated	2026-06-26 20:17:21 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: arm64: Reserve an extra page for early kernel mapping The final part of [data, end) segment may overflow into the next page of init_pg_end[1] which is the gap page before early_init_stack[2]: [1] crash_arm64_v9.0.1> vtop ffffffed00601000 VIRTUAL PHYSICAL ffffffed00601000 83401000 PAGE DIRECTORY: ffffffecffd62000 PGD: ffffffecffd62da0 => 10000000833fb003 PMD: ffffff80033fb018 => 10000000833fe003 PTE: ffffff80033fe008 => 68000083401f03 PAGE: 83401000 PTE PHYSICAL FLAGS 68000083401f03 83401000 (VALID\|SHARED\|AF\|NG\|PXN\|UXN) PAGE PHYSICAL MAPPING INDEX CNT FLAGS fffffffec00d0040 83401000 0 0 1 4000 reserved [2] ffffffed002c8000 (r) __pi__data ffffffed0054e000 (d) __pi___bss_start ffffffed005f5000 (b) __pi_init_pg_dir ffffffed005fe000 (b) __pi_init_pg_end ffffffed005ff000 (B) early_init_stack ffffffed00608000 (b) __pi__end For 4K pages, the early kernel mapping may use 2MB block entries but the kernel segments are only 64KB aligned. Segment boundaries that fall within a 2MB block therefore require a PTE table so that different attributes can be applied on either side of the boundary. KERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel VMAs registered by declare_kernel_vmas(). However, since commit 5973a62efa34 ("arm64: map [_text, _stext) virtual address range non-executable+read-only"), the early mapper also maps [_text, _stext) separately from [_stext, _etext). This adds one more early-only split and can require one more page-table page than the existing EARLY_SEGMENT_EXTRA_PAGES allowance reserves. Increase the 4K-page early mapping allowance by one page to cover that additional split. [[email protected]: rewrote part of the commit log] [[email protected]: expanded the code comment]

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected fdd380a5950503a07aaaf74536a0c2f223475eb0 a4ff33053da0a34b14abb5c96dc5a48379e26fce git	Not specified
CNA	Linux	Linux	affected 5973a62efa34c80c9a4e5eac1fca6f6209b902af dcb89deed40ba55ff7020061712fdabf098cc2cc git	Not specified
CNA	Linux	Linux	affected 5973a62efa34c80c9a4e5eac1fca6f6209b902af 9fe9e3acaa14921b0cf0d6cc2de5b562499bf721 git	Not specified
CNA	Linux	Linux	affected 5973a62efa34c80c9a4e5eac1fca6f6209b902af 4d8e74ad4585672489da6145b3328d415f50db82 git	Not specified
CNA	Linux	Linux	affected 88025faf2aa08c7468d68d8cb31a53b55aae6ee0 git	Not specified
CNA	Linux	Linux	affected 6.12.54 6.12.91 semver	Not specified
CNA	Linux	Linux	affected 6.17.4 6.18 semver	Not specified
CNA	Linux	Linux	affected 6.18	Not specified
CNA	Linux	Linux	unaffected 6.18 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/4d8e74ad4585672489da6145b3328d415f50db82	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/9fe9e3acaa14921b0cf0d6cc2de5b562499bf721	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a4ff33053da0a34b14abb5c96dc5a48379e26fce	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/dcb89deed40ba55ff7020061712fdabf098cc2cc	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.