{"api_version":"1","generated_at":"2026-05-13T15:18:02+00:00","cve":"CVE-2026-43286","urls":{"html":"https://cve.report/CVE-2026-43286","api":"https://cve.report/api/cve/CVE-2026-43286.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43286","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43286"},"summary":{"title":"mm/hugetlb: restore failed global reservations to subpool","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate->resv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool's reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool->used_hpages elevated if the globally requested pages could\nnot be acquired.  This is because while a subpool's reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally.  Thus, we need to adjust spool->used_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool's used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool.  Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n   successfully allocate any hugepages. It believes it can now only\n   allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter.  At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 14:16:35","updated_at":"2026-05-12 14:10:27"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5","name":"https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39","name":"https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5","name":"https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43286","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43286","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a833a693a490ecff8ba377654c6d4d333718b6b1 5eac1322a7b14b8cd05ec896618278b90fba7f39 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a833a693a490ecff8ba377654c6d4d333718b6b1 f055897c975d079a90af873c791ab58cf0f6f2a5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a833a693a490ecff8ba377654c6d4d333718b6b1 1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected adb5c2e55524e3a96b02c3904b0bb6d5a5404d21 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43286","cve":"CVE-2026-43286","epss":"0.000170000","percentile":"0.041320000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["mm/hugetlb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"5eac1322a7b14b8cd05ec896618278b90fba7f39","status":"affected","version":"a833a693a490ecff8ba377654c6d4d333718b6b1","versionType":"git"},{"lessThan":"f055897c975d079a90af873c791ab58cf0f6f2a5","status":"affected","version":"a833a693a490ecff8ba377654c6d4d333718b6b1","versionType":"git"},{"lessThan":"1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5","status":"affected","version":"a833a693a490ecff8ba377654c6d4d333718b6b1","versionType":"git"},{"status":"affected","version":"adb5c2e55524e3a96b02c3904b0bb6d5a5404d21","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["mm/hugetlb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.15"},{"lessThan":"6.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate->resv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool's reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool->used_hpages elevated if the globally requested pages could\nnot be acquired.  This is because while a subpool's reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally.  Thus, we need to adjust spool->used_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool's used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool.  Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n   successfully allocate any hugepages. It believes it can now only\n   allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter.  At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails."}],"providerMetadata":{"dateUpdated":"2026-05-11T22:21:37.239Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39"},{"url":"https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5"},{"url":"https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5"}],"title":"mm/hugetlb: restore failed global reservations to subpool","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43286","datePublished":"2026-05-08T13:11:11.867Z","dateReserved":"2026-05-01T14:12:55.999Z","dateUpdated":"2026-05-11T22:21:37.239Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 14:16:35","lastModifiedDate":"2026-05-12 14:10:27","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43286","Ordinal":"1","Title":"mm/hugetlb: restore failed global reservations to subpool","CVE":"CVE-2026-43286","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43286","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate->resv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool's reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool->used_hpages elevated if the globally requested pages could\nnot be acquired.  This is because while a subpool's reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally.  Thus, we need to adjust spool->used_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool's used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool.  Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n   successfully allocate any hugepages. It believes it can now only\n   allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter.  At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails.","Type":"Description","Title":"mm/hugetlb: restore failed global reservations to subpool"}]}}}