CVE-2026-23097

{"id": "CVE-2026-23097", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-04T17:16:20.570", "references": [{"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -> migrate_hugetlbs()\n -> unmap_and_move_huge_page() <- Takes folio_lock!\n -> remove_migration_ptes()\n -> __rmap_walk_file()\n -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!\n -> hugetlbfs_zero_partial_page()\n -> filemap_lock_hugetlb_folio()\n -> filemap_lock_folio()\n -> __filemap_get_folio <- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file & anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmigrate: orden correcto de bloqueo para folios de archivo hugetlb\n\nSyzbot ha encontrado un interbloqueo (analizado por Lance Yang):\n\n1) Tarea (5749): Mantiene folio_lock, luego intenta adquirir i_mmap_rwsem (bloqueo de lectura).\n2) Tarea (5754): Mantiene i_mmap_rwsem (bloqueo de escritura), luego intenta adquirir folio_lock.\n\nmigrate_pages()\n -&gt; migrate_hugetlbs()\n -&gt; unmap_and_move_huge_page() &lt;- \u00a1Toma folio_lock!\n -&gt; remove_migration_ptes()\n -&gt; __rmap_walk_file()\n -&gt; i_mmap_lock_read() &lt;- \u00a1Espera por i_mmap_rwsem (bloqueo de lectura)!\n\nhugetlbfs_fallocate()\n -&gt; hugetlbfs_punch_hole() &lt;- \u00a1Toma i_mmap_rwsem (bloqueo de escritura)!\n -&gt; hugetlbfs_zero_partial_page()\n -&gt; filemap_lock_hugetlb_folio()\n -&gt; filemap_lock_folio()\n -&gt; __filemap_get_folio &lt;- \u00a1Espera por folio_lock!\n\nLa ruta de migraci\u00f3n es la que toma los bloqueos en el orden incorrecto seg\u00fan la documentaci\u00f3n en la parte superior de mm/rmap.c. As\u00ed que expandir el alcance del i_mmap_lock existente para cubrir tambi\u00e9n las llamadas a remove_migration_ptes().\n\nEsto es (en su mayor\u00eda) como sol\u00eda ser despu\u00e9s del commit c0d0381ade79. Eso fue eliminado por 336bf30eb765 tanto para p\u00e1ginas hugetlb de archivo como an\u00f3nimas cuando solo deber\u00eda haber sido eliminado para p\u00e1ginas hugetlb an\u00f3nimas."}], "lastModified": "2026-03-18T12:47:17.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9598C575-CE16-4F2B-A517-667AA54B4B86", "versionEndExcluding": "5.10", "versionStartIncluding": "5.9.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE8CC3D1-1602-4F1D-A05B-F0E1722A86DD", "versionEndExcluding": "5.10.249", "versionStartIncluding": "5.10.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B29EBB93-107F-4ED6-8DE3-C2732BC659C3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CD159FA-170F-4389-9085-CACCF97ABB1E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0390D83-6C17-4557-BE8D-B659E04F565A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4120E4B3-B66D-4ACE-8570-1DD4DF20A324"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73D60343-647D-4B5D-AA6D-CE87C462E368"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}