Description
In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix hugetlb_pmd_shared()

Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using
mmu_gather)", v3.

One functional fix, one performance regression fix, and two related
comment fixes.

I cleaned up my prototype I recently shared [1] for the performance fix,
deferring most of the cleanups I had in the prototype to a later point.
While doing that I identified the other things.

The goal of this patch set is to be backported to stable trees "fairly"
easily. At least patch #1 and #4.

Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing
Patch #2 + #3 are simple comment fixes that patch #4 interacts with.
Patch #4 is a fix for the reported performance regression due to excessive
IPI broadcasts during fork()+exit().

The last patch is all about TLB flushes, IPIs and mmu_gather.
Read: complicated

There are plenty of cleanups in the future to be had + one reasonable
optimization on x86. But that's all out of scope for this series.

Runtime tested, with a focus on fixing the performance regression using
the original reproducer [2] on x86.


This patch (of 4):

We switched from (wrongly) using the page count to an independent shared
count. Now, shared page tables have a refcount of 1 (excluding
speculative references) and instead use ptdesc->pt_share_count to identify
sharing.

We didn't convert hugetlb_pmd_shared(), so right now, we would never
detect a shared PMD table as such, because sharing/unsharing no longer
touches the refcount of a PMD table.

Page migration, like mbind() or migrate_pages() would allow for migrating
folios mapped into such shared PMD tables, even though the folios are not
exclusive. In smaps we would account them as "private" although they are
"shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the
pagemap interface.

Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory accounting errors and performance degradation from improper sharing detection in hugetlb PMD tables
Action: Apply Patch
AI Analysis

Impact

The Linux kernel function hugetlb_pmd_shared() incorrectly used the PMD page count to determine whether a huge‑page table was shared. As a result, shared PMD tables were never detected, causing inaccurate reference counting, misreporting of memory usage by utilities such as smaps, and a noticeable performance regression due to excessive inter‑processor interrupt broadcasts during fork+exit. The patch replaces the page count logic with a dedicated shared‑count, restoring correct detection of shared PMD tables and eliminating the accounting errors and performance issue.

Affected Systems

The defect appears in Linux kernel releases 6.13 (including rc6 and rc7) and all 6.19 release candidates from rc1 through rc6, affecting all architectures that implement the hugetlb subsystem. Kernel packages shipped with these versions from any distribution that rely on the upstream kernel must be updated or have the patch series applied.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1 % indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. No explicit exploitation vector is documented; the bug primarily causes incorrect memory accounting and a performance regression. The risk is therefore limited to potential denial of service through resource mismanagement rather than privilege escalation or remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the mm/hugetlb fix or backport patches #1 and #4 from the patch series.
  • If an upgrade is not immediately possible, disable hugetlb memory features or restrict privileged processes from using hugetlb APIs until the issue is resolved.
  • Monitor memory usage and performance anomalies that may indicate misreporting or leaks, and, if necessary, rebuild the kernel with correct reference counting for hugetlb.

Generated by OpenCVE AI on April 18, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6162-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 20 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
Title mm/hugetlb: fix hugetlb_pmd_shared()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:03:51.647Z

Reserved: 2026-01-13T15:37:45.965Z

Link: CVE-2026-23100

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:20.880

Modified: 2026-04-18T09:16:13.703

Link: CVE-2026-23100

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23100 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:45:05Z

Weaknesses