CVE-2026-23100

EUVD-2026-5442
In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix hugetlb_pmd_shared()

Patch series "mm/hugetlb: fixes for PMD table sharing (incl.  using
mmu_gather)", v3.

One functional fix, one performance regression fix, and two related
comment fixes.

I cleaned up my prototype I recently shared [1] for the performance fix,
deferring most of the cleanups I had in the prototype to a later point. 
While doing that I identified the other things.

The goal of this patch set is to be backported to stable trees "fairly"
easily. At least patch #1 and #4.

Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing
Patch #2 + #3 are simple comment fixes that patch #4 interacts with.
Patch #4 is a fix for the reported performance regression due to excessive
IPI broadcasts during fork()+exit().

The last patch is all about TLB flushes, IPIs and mmu_gather.
Read: complicated

There are plenty of cleanups in the future to be had + one reasonable
optimization on x86. But that's all out of scope for this series.

Runtime tested, with a focus on fixing the performance regression using
the original reproducer [2] on x86.


This patch (of 4):

We switched from (wrongly) using the page count to an independent shared
count.  Now, shared page tables have a refcount of 1 (excluding
speculative references) and instead use ptdesc->pt_share_count to identify
sharing.

We didn't convert hugetlb_pmd_shared(), so right now, we would never
detect a shared PMD table as such, because sharing/unsharing no longer
touches the refcount of a PMD table.

Page migration, like mbind() or migrate_pages() would allow for migrating
folios mapped into such shared PMD tables, even though the folios are not
exclusive.  In smaps we would account them as "private" although they are
"shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the
pagemap interface.

Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.10.239 ≤
𝑥
< 5.11
linuxlinux_kernel
5.15.186 ≤
𝑥
< 5.16
linuxlinux_kernel
6.1.142 ≤
𝑥
< 6.2
linuxlinux_kernel
6.6.72 ≤
𝑥
< 6.6.127
linuxlinux_kernel
6.12.9 ≤
𝑥
< 6.12.74
linuxlinux_kernel
6.13.1 ≤
𝑥
< 6.18.8
linuxlinux_kernel
6.13
linuxlinux_kernel
6.13:rc6
linuxlinux_kernel
6.13:rc7
linuxlinux_kernel
6.19:rc1
linuxlinux_kernel
6.19:rc2
linuxlinux_kernel
6.19:rc3
linuxlinux_kernel
6.19:rc4
linuxlinux_kernel
6.19:rc5
linuxlinux_kernel
6.19:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.176-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.259-1
fixed
forky
7.0.13-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
linux-6.1
bullseye (security)
6.1.176-1~deb11u1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
bpftool6.12
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-headers
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-static
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-livepatch-6.1.168-202.320
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.12.74-98.124
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-modules-extra
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-libbpf
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-libbpf-debuginfo
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-libbpf-devel
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-libbpf-static
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
perf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
perf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
python3-perf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
python3-perf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.74-98.124.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.130.1-1.azl3
fixed