CVE-2026-23100 (GCVE-0-2026-23100)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-19 15:39
VLAI?
Title
mm/hugetlb: fix hugetlb_pmd_shared()
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 56b274473d6e7e7375f2d0a2b4aca11d67c6b52f , < 51dcf459845fd28f5a0d83d408a379b274ec5cc5 (git)
Affected: 2e31443a0d18ae43b9d29e02bf0563f07772193d , < 3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e (git)
Affected: 59d9094df3d79443937add8700b2ef1a866b1081 , < 69c4e241ff13545d410a8b2a688c932182a858bf (git)
Affected: 59d9094df3d79443937add8700b2ef1a866b1081 , < ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 (git)
Affected: 94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133 (git)
Affected: 8410996eb6fea116fe1483ed977aacf580eee7b4 (git)
Affected: 02333ac1c35370517a19a4a131332a9690c6a5c7 (git)
Create a notification for this product.
    Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.6.127 , ≤ 6.6.* (semver)
Unaffected: 6.12.74 , ≤ 6.12.* (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hugetlb.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "51dcf459845fd28f5a0d83d408a379b274ec5cc5",
              "status": "affected",
              "version": "56b274473d6e7e7375f2d0a2b4aca11d67c6b52f",
              "versionType": "git"
            },
            {
              "lessThan": "3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e",
              "status": "affected",
              "version": "2e31443a0d18ae43b9d29e02bf0563f07772193d",
              "versionType": "git"
            },
            {
              "lessThan": "69c4e241ff13545d410a8b2a688c932182a858bf",
              "status": "affected",
              "version": "59d9094df3d79443937add8700b2ef1a866b1081",
              "versionType": "git"
            },
            {
              "lessThan": "ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216",
              "status": "affected",
              "version": "59d9094df3d79443937add8700b2ef1a866b1081",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8410996eb6fea116fe1483ed977aacf580eee7b4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "02333ac1c35370517a19a4a131332a9690c6a5c7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hugetlb.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "6.6.72",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "6.12.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.239",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.186",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.142",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl.  using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that\u0027s all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount.  Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc-\u003ept_share_count to identify\nsharing.\n\nWe didn\u0027t convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive.  In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T15:39:32.104Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216"
        }
      ],
      "title": "mm/hugetlb: fix hugetlb_pmd_shared()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23100",
    "datePublished": "2026-02-04T16:08:22.592Z",
    "dateReserved": "2026-01-13T15:37:45.965Z",
    "dateUpdated": "2026-02-19T15:39:32.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23100\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:20.880\",\"lastModified\":\"2026-02-19T16:27:13.780\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/hugetlb: fix hugetlb_pmd_shared()\\n\\nPatch series \\\"mm/hugetlb: fixes for PMD table sharing (incl.  using\\nmmu_gather)\\\", v3.\\n\\nOne functional fix, one performance regression fix, and two related\\ncomment fixes.\\n\\nI cleaned up my prototype I recently shared [1] for the performance fix,\\ndeferring most of the cleanups I had in the prototype to a later point. \\nWhile doing that I identified the other things.\\n\\nThe goal of this patch set is to be backported to stable trees \\\"fairly\\\"\\neasily. At least patch #1 and #4.\\n\\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\\nPatch #4 is a fix for the reported performance regression due to excessive\\nIPI broadcasts during fork()+exit().\\n\\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\\nRead: complicated\\n\\nThere are plenty of cleanups in the future to be had + one reasonable\\noptimization on x86. But that\u0027s all out of scope for this series.\\n\\nRuntime tested, with a focus on fixing the performance regression using\\nthe original reproducer [2] on x86.\\n\\n\\nThis patch (of 4):\\n\\nWe switched from (wrongly) using the page count to an independent shared\\ncount.  Now, shared page tables have a refcount of 1 (excluding\\nspeculative references) and instead use ptdesc-\u003ept_share_count to identify\\nsharing.\\n\\nWe didn\u0027t convert hugetlb_pmd_shared(), so right now, we would never\\ndetect a shared PMD table as such, because sharing/unsharing no longer\\ntouches the refcount of a PMD table.\\n\\nPage migration, like mbind() or migrate_pages() would allow for migrating\\nfolios mapped into such shared PMD tables, even though the folios are not\\nexclusive.  In smaps we would account them as \\\"private\\\" although they are\\n\\\"shared\\\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\\npagemap interface.\\n\\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nmm/hugetlb: corregir hugetlb_pmd_shared()\\n\\nSerie de parches \u0027mm/hugetlb: correcciones para el uso compartido de tablas PMD (incl. el uso de mmu_gather)\u0027, v3.\\n\\nUna correcci\u00f3n funcional, una correcci\u00f3n de regresi\u00f3n de rendimiento y dos correcciones de comentarios relacionadas.\\n\\nLimpi\u00e9 mi prototipo que compart\u00ed recientemente [1] para la correcci\u00f3n de rendimiento, aplazando la mayor\u00eda de las limpiezas que ten\u00eda en el prototipo para un momento posterior. Mientras hac\u00eda eso, identifiqu\u00e9 las otras cosas.\\n\\nEl objetivo de este conjunto de parches es ser retroportado a \u00e1rboles estables \\\"bastante\\\" f\u00e1cilmente. Al menos el parche #1 y #4.\\n\\nEl parche #1 corrige que hugetlb_pmd_shared() no detecte ning\u00fan uso compartido.\\nEl parche #2 + #3 son simples correcciones de comentarios con las que el parche #4 interact\u00faa.\\nEl parche #4 es una correcci\u00f3n para la regresi\u00f3n de rendimiento reportada debido a transmisiones IPI excesivas durante fork()+exit().\\n\\nEl \u00faltimo parche trata sobre vaciados de TLB, IPIs y mmu_gather.\\nL\u00e9ase: complicado\\n\\nHay muchas limpiezas por hacer en el futuro + una optimizaci\u00f3n razonable en x86. Pero todo eso est\u00e1 fuera del alcance de esta serie.\\n\\nProbado en tiempo de ejecuci\u00f3n, con un enfoque en corregir la regresi\u00f3n de rendimiento usando el reproductor original [2] en x86.\\n\\nEste parche (de 4):\\n\\nCambiamos de usar (err\u00f3neamente) el recuento de p\u00e1ginas a un recuento compartido independiente. Ahora, las tablas de p\u00e1ginas compartidas tienen un refcount de 1 (excluyendo referencias especulativas) y en su lugar usan ptdesc-\u0026gt;pt_share_count para identificar el uso compartido.\\n\\nNo convertimos hugetlb_pmd_shared(), as\u00ed que ahora mismo, nunca detectar\u00edamos una tabla PMD compartida como tal, porque compartir/dejar de compartir ya no afecta el refcount de una tabla PMD.\\n\\nLa migraci\u00f3n de p\u00e1ginas, como mbind() o migrate_pages(), permitir\u00eda migrar folios mapeados en dichas tablas PMD compartidas, aunque los folios no sean exclusivos. En smaps los contabilizar\u00edamos como \\\"privados\\\" aunque sean \\\"compartidos\\\", y estar\u00edamos configurando err\u00f3neamente el PM_MMAP_EXCLUSIVE en la interfaz pagemap.\\n\\nCorregirlo usando correctamente ptdesc_pmd_is_shared() en hugetlb_pmd_shared().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.