Description
In the Linux kernel, the following vulnerability has been resolved:

mm: thp: deny THP for files on anonymous inodes

file_thp_enabled() incorrectly allows THP for files on anonymous inodes
(e.g. guest_memfd and secretmem). These files are created via
alloc_file_pseudo(), which does not call get_write_access() and leaves
inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being
true, they appear as read-only regular files when
CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP
collapse.

Anonymous inodes can never pass the inode_is_open_for_write() check
since their i_writecount is never incremented through the normal VFS
open path. The right thing to do is to exclude them from THP eligibility
altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real
filesystem files (e.g. shared libraries), not for pseudo-filesystem
inodes.

For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create
large folios in the page cache via the collapse path, but the
guest_memfd fault handler does not support large folios. This triggers
WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().

For secretmem, collapse_file() tries to copy page contents through the
direct map, but secretmem pages are removed from the direct map. This
can result in a kernel crash:

BUG: unable to handle page fault for address: ffff88810284d000
RIP: 0010:memcpy_orig+0x16/0x130
Call Trace:
collapse_file
hpage_collapse_scan_file
madvise_collapse

Secretmem is not affected by the crash on upstream as the memory failure
recovery handles the failed copy gracefully, but it still triggers
confusing false memory failure reports:

Memory failure: 0x106d96f: recovery action for clean unevictable
LRU page: Recovered

Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all
anonymous inode files.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Crash (Denial of Service)
Action: Patch Immediately
AI Analysis

Impact

The Linux kernel’s transparent hugepage subsystem incorrectly permits THP collapse for files that reside on anonymous inodes, such as guest_memfd and secretmem, when CONFIG_READ_ONLY_THP_FOR_FS is enabled. This results from a buffer handling error combined with an input validation weakness (CWE‑825) because the kernel fails to exclude pseudo‑filesystem objects from THP eligibility. When collapse is attempted, the guest_memfd fault handler or the secretmem copy routine faults on large folios, which can trigger WARN_ON_ONCE or a full kernel crash. The flaw does not provide arbitrary code execution, but it can bring the host down through a denial‑of‑service that is triggered by the kernel’s own memory management path.

Affected Systems

All Linux kernel releases compiled with CONFIG_READ_ONLY_THP_FOR_FS enabled and that have not incorporated the upstream patch (commit 0524ee56f) are affected. This includes mainstream distribution kernels that expose guest_memfd or secretmem or otherwise allow THP collapse on pseudo‑filesystem inodes. The vulnerability applies to the core kernel regardless of vendor; any distribution kernel using the default configuration for THP on read‑only files can be impacted.

Risk and Exploitability

The CVSS base score of 7.0 indicates high impact while the EPSS score is under 1%, implying a low prevalence of active exploitation today. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need local access to create or interact with the vulnerable pseudo‑FS objects and to enable transparent hugepage collapse for them, making exploitation a local attack. Given the severity and the possibility of a kernel crash, the vulnerability should be treated as a high‑priority patching issue.

Generated by OpenCVE AI on April 15, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that contains the file_thp_enabled() patch (commit 0524ee56f).
  • Reconfigure the kernel to disable THP collapse for anonymous inodes by either disabling CONFIG_READ_ONLY_THP_FOR_FS entirely or, as a temporary fix, setting /sys/kernel/mm/transparent_hugepage/enabled to "never".
  • Optional: Monitor kernel dmesg for WARN_ON_ONCE or BUG messages related to THP collapse to verify the vulnerability no longer manifests.

Generated by OpenCVE AI on April 15, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
CPEs cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being true, they appear as read-only regular files when CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP collapse. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes. For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path, but the guest_memfd fault handler does not support large folios. This triggers WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). For secretmem, collapse_file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash: BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy_orig+0x16/0x130 Call Trace: collapse_file hpage_collapse_scan_file madvise_collapse Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports: Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all anonymous inode files.
Title mm: thp: deny THP for files on anonymous inodes
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:09.991Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23375

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:37.230

Modified: 2026-04-24T16:31:31.260

Link: CVE-2026-23375

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23375 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:45:12Z

Weaknesses