CVE-2026-23100

{"id": "CVE-2026-23100", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-04T17:16:20.880", "references": [{"url": "https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5b2aec77f92265a9028c5f632bdd9af5b57ec3a3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl. using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that's all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount. Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc->pt_share_count to identify\nsharing.\n\nWe didn't convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive. In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmm/hugetlb: corregir hugetlb_pmd_shared()\n\nSerie de parches 'mm/hugetlb: correcciones para el uso compartido de tablas PMD (incl. el uso de mmu_gather)', v3.\n\nUna correcci\u00f3n funcional, una correcci\u00f3n de regresi\u00f3n de rendimiento y dos correcciones de comentarios relacionadas.\n\nLimpi\u00e9 mi prototipo que compart\u00ed recientemente [1] para la correcci\u00f3n de rendimiento, aplazando la mayor\u00eda de las limpiezas que ten\u00eda en el prototipo para un momento posterior. Mientras hac\u00eda eso, identifiqu\u00e9 las otras cosas.\n\nEl objetivo de este conjunto de parches es ser retroportado a \u00e1rboles estables \"bastante\" f\u00e1cilmente. Al menos el parche #1 y #4.\n\nEl parche #1 corrige que hugetlb_pmd_shared() no detecte ning\u00fan uso compartido.\nEl parche #2 + #3 son simples correcciones de comentarios con las que el parche #4 interact\u00faa.\nEl parche #4 es una correcci\u00f3n para la regresi\u00f3n de rendimiento reportada debido a transmisiones IPI excesivas durante fork()+exit().\n\nEl \u00faltimo parche trata sobre vaciados de TLB, IPIs y mmu_gather.\nL\u00e9ase: complicado\n\nHay muchas limpiezas por hacer en el futuro + una optimizaci\u00f3n razonable en x86. Pero todo eso est\u00e1 fuera del alcance de esta serie.\n\nProbado en tiempo de ejecuci\u00f3n, con un enfoque en corregir la regresi\u00f3n de rendimiento usando el reproductor original [2] en x86.\n\nEste parche (de 4):\n\nCambiamos de usar (err\u00f3neamente) el recuento de p\u00e1ginas a un recuento compartido independiente. Ahora, las tablas de p\u00e1ginas compartidas tienen un refcount de 1 (excluyendo referencias especulativas) y en su lugar usan ptdesc->pt_share_count para identificar el uso compartido.\n\nNo convertimos hugetlb_pmd_shared(), as\u00ed que ahora mismo, nunca detectar\u00edamos una tabla PMD compartida como tal, porque compartir/dejar de compartir ya no afecta el refcount de una tabla PMD.\n\nLa migraci\u00f3n de p\u00e1ginas, como mbind() o migrate_pages(), permitir\u00eda migrar folios mapeados en dichas tablas PMD compartidas, aunque los folios no sean exclusivos. En smaps los contabilizar\u00edamos como \"privados\" aunque sean \"compartidos\", y estar\u00edamos configurando err\u00f3neamente el PM_MMAP_EXCLUSIVE en la interfaz pagemap.\n\nCorregirlo usando correctamente ptdesc_pmd_is_shared() en hugetlb_pmd_shared()."}], "lastModified": "2026-03-25T11:16:18.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B462A12-1313-443F-A4AD-497D3E94D030", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.239"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A14ADC6-011A-46D0-A322-43C2517D1E11", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.186"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2382297A-0991-403C-B3BE-E14D6ACDF1AA", "versionEndExcluding": "6.2", "versionStartIncluding": "6.1.142"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97B4F548-197A-4ED6-BBAA-A5DDE4C23486", "versionEndExcluding": "6.6.127", "versionStartIncluding": "6.6.72"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1863CA93-1652-44FD-9A0D-75DB28F5318F", "versionEndExcluding": "6.12.74", "versionStartIncluding": "6.12.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DABFB8C1-7DE1-44E5-A929-BC67ABA89E0D", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}