{"api_version":"1","generated_at":"2026-07-14T02:54:52+00:00","cve":"CVE-2026-53207","urls":{"html":"https://cve.report/CVE-2026-53207","api":"https://cve.report/api/cve/CVE-2026-53207.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53207","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53207"},"summary":{"title":"mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison\n\nTwo concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can\ntrigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock\nwhen racing with a concurrent unmap:\n\n  thread#0                              thread#1\n  --------                              --------\n  madvise(folio, MADV_HWPOISON)\n    -> poisons the folio successfully\n  madvise(folio, MADV_HWPOISON)         unmap(folio)\n    try_memory_failure_hugetlb\n      get_huge_page_for_hwpoison\n        spin_lock_irq(&hugetlb_lock)    <- held\n        __get_huge_page_for_hwpoison\n          hugetlb_update_hwpoison()\n            -> MF_HUGETLB_FOLIO_PRE_POISONED\n          goto out:\n            folio_put()\n              refcount: 1 -> 0\n              free_huge_folio()\n                spin_lock_irqsave(&hugetlb_lock)\n                  -> AA DEADLOCK!\n\nThe out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop\nthe GUP reference while the hugetlb_lock is still held by the hugetlb.c\nwrapper get_huge_page_for_hwpoison().  If concurrent unmap has released\nthe page table mapping reference, folio_put() drops the folio refcount to\nzero, triggering free_huge_folio() which attempts to re-acquire the\nnon-recursive hugetlb_lock.\n\nFix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper\ninto get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the\nfolio_put() at the out: label so the folio is always released outside the\nlock.\n\n[akpm@linux-foundation.org: fix race, rename label per Miaohe]","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:38","updated_at":"2026-07-02 20:55:07"},"problem_types":["CWE-667"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2","name":"https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b","name":"https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e","name":"https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8","name":"https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e","name":"https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48","name":"https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53207","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53207","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 405ce051236cc65b30bbfe490b28ce60ae6aed85 fc3ff42cb0cbf947e4600ae9761c3783760050e2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 405ce051236cc65b30bbfe490b28ce60ae6aed85 77b73b54801ae7137479c141fd0473a491c1dc48 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 405ce051236cc65b30bbfe490b28ce60ae6aed85 a33bfed648c10f5a1519981dbfad80841191edc8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 405ce051236cc65b30bbfe490b28ce60ae6aed85 dd77a83915b07e2b0205adb284f08b39ae31dc4b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 405ce051236cc65b30bbfe490b28ce60ae6aed85 bf7ba8f96c258c30393814491930ae4ecdc5fe5e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 405ce051236cc65b30bbfe490b28ce60ae6aed85 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 62d1655b922958826b7ec22682c3141746f75064 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.15.54 5.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.18","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.18 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"53207","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53207","cve":"CVE-2026-53207","epss":"0.000990000","percentile":"0.010020000","score_date":"2026-07-04","updated_at":"2026-07-05 00:02:27"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/linux/hugetlb.h","include/linux/mm.h","mm/hugetlb.c","mm/memory-failure.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fc3ff42cb0cbf947e4600ae9761c3783760050e2","status":"affected","version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","versionType":"git"},{"lessThan":"77b73b54801ae7137479c141fd0473a491c1dc48","status":"affected","version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","versionType":"git"},{"lessThan":"a33bfed648c10f5a1519981dbfad80841191edc8","status":"affected","version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","versionType":"git"},{"lessThan":"dd77a83915b07e2b0205adb284f08b39ae31dc4b","status":"affected","version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","versionType":"git"},{"lessThan":"bf7ba8f96c258c30393814491930ae4ecdc5fe5e","status":"affected","version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","versionType":"git"},{"lessThan":"3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e","status":"affected","version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","versionType":"git"},{"status":"affected","version":"62d1655b922958826b7ec22682c3141746f75064","versionType":"git"},{"lessThan":"5.16","status":"affected","version":"5.15.54","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/linux/hugetlb.h","include/linux/mm.h","mm/hugetlb.c","mm/memory-failure.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.18"},{"lessThan":"5.18","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.54","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison\n\nTwo concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can\ntrigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock\nwhen racing with a concurrent unmap:\n\n  thread#0                              thread#1\n  --------                              --------\n  madvise(folio, MADV_HWPOISON)\n    -> poisons the folio successfully\n  madvise(folio, MADV_HWPOISON)         unmap(folio)\n    try_memory_failure_hugetlb\n      get_huge_page_for_hwpoison\n        spin_lock_irq(&hugetlb_lock)    <- held\n        __get_huge_page_for_hwpoison\n          hugetlb_update_hwpoison()\n            -> MF_HUGETLB_FOLIO_PRE_POISONED\n          goto out:\n            folio_put()\n              refcount: 1 -> 0\n              free_huge_folio()\n                spin_lock_irqsave(&hugetlb_lock)\n                  -> AA DEADLOCK!\n\nThe out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop\nthe GUP reference while the hugetlb_lock is still held by the hugetlb.c\nwrapper get_huge_page_for_hwpoison().  If concurrent unmap has released\nthe page table mapping reference, folio_put() drops the folio refcount to\nzero, triggering free_huge_folio() which attempts to re-acquire the\nnon-recursive hugetlb_lock.\n\nFix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper\ninto get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the\nfolio_put() at the out: label so the folio is always released outside the\nlock.\n\n[akpm@linux-foundation.org: fix race, rename label per Miaohe]"}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:13.592Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2"},{"url":"https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48"},{"url":"https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8"},{"url":"https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b"},{"url":"https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e"},{"url":"https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e"}],"title":"mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53207","datePublished":"2026-06-25T08:39:13.592Z","dateReserved":"2026-06-09T07:44:35.391Z","dateUpdated":"2026-06-25T08:39:13.592Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:38","lastModifiedDate":"2026-07-02 20:55:07","problem_types":["CWE-667"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.54","versionEndExcluding":"5.16","matchCriteriaId":"420A7F9A-23A1-4578-83CE-F7E16D5ABF38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.1","versionEndExcluding":"6.1.176","matchCriteriaId":"5B932B6B-A568-4157-BA49-337B42FA0569"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*","matchCriteriaId":"0384FA0A-DE99-48D7-84E3-46ED0C3B5E03"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc4:*:*:*:*:*:*","matchCriteriaId":"DA5F085D-52F3-4EE2-8353-455D1A6FE073"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc5:*:*:*:*:*:*","matchCriteriaId":"D6EE5B78-0D83-4715-893C-ABD69B49E7FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc6:*:*:*:*:*:*","matchCriteriaId":"EE723F14-047B-4FCF-B109-E0542EDFB063"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc7:*:*:*:*:*:*","matchCriteriaId":"2FCFCE58-5118-4D05-864E-C82CF20EABE5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53207","Ordinal":"1","Title":"mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page","CVE":"CVE-2026-53207","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53207","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison\n\nTwo concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can\ntrigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock\nwhen racing with a concurrent unmap:\n\n  thread#0                              thread#1\n  --------                              --------\n  madvise(folio, MADV_HWPOISON)\n    -> poisons the folio successfully\n  madvise(folio, MADV_HWPOISON)         unmap(folio)\n    try_memory_failure_hugetlb\n      get_huge_page_for_hwpoison\n        spin_lock_irq(&hugetlb_lock)    <- held\n        __get_huge_page_for_hwpoison\n          hugetlb_update_hwpoison()\n            -> MF_HUGETLB_FOLIO_PRE_POISONED\n          goto out:\n            folio_put()\n              refcount: 1 -> 0\n              free_huge_folio()\n                spin_lock_irqsave(&hugetlb_lock)\n                  -> AA DEADLOCK!\n\nThe out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop\nthe GUP reference while the hugetlb_lock is still held by the hugetlb.c\nwrapper get_huge_page_for_hwpoison().  If concurrent unmap has released\nthe page table mapping reference, folio_put() drops the folio refcount to\nzero, triggering free_huge_folio() which attempts to re-acquire the\nnon-recursive hugetlb_lock.\n\nFix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper\ninto get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the\nfolio_put() at the out: label so the folio is always released outside the\nlock.\n\n[akpm@linux-foundation.org: fix race, rename label per Miaohe]","Type":"Description","Title":"mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page"}]}}}