Description
In the Linux kernel, the following vulnerability has been resolved:

mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER

When registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel
computes pgmap->vmemmap_shift as the number of trailing zeros in the
OR of start_pfn and last_pfn, intending to use the largest compound
page order both endpoints are aligned to.

However, this value is not clamped to MAX_FOLIO_ORDER, so a
sufficiently aligned range (e.g. physical range
[0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000
with 35 trailing zeros) can produce a shift larger than what
memremap_pages() accepts, triggering a WARN and returning -EINVAL:

WARNING: ... memremap_pages+0x512/0x650
requested folio size unsupported

The MAX_FOLIO_ORDER check was added by
commit 646b67d57589 ("mm/memremap: reject unreasonable folio/compound
page sizes in memremap_pages()").

Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always
request the largest order the kernel supports, in those cases, rather
than an out-of-range value.

Also fix the error path to propagate the actual error code from
devm_memremap_pages() instead of hard-coding -EFAULT, which was
masking the real -EINVAL return.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel incorrectly calculates the compound page size during VTL0 memory registration via MSHV_ADD_VTL0_MEMORY. The vmemmap_shift value is derived from the number of trailing zero bits in the OR of start_pfn and last_pfn, and the value is not clamped to the system maximum order. When a sufficiently aligned address range produces a shift larger than MAX_FOLIO_ORDER, the memremap_pages function issues a warning and returns -EINVAL. This prevents the requested memory region from being mapped, potentially causing a failure to establish the hypervisor’s virtual‑to‑physical map and disrupting services that depend on that memory. The flaw results in a denial‑of‑service condition rather than remote code execution or privilege escalation. It exhibits an uncontrolled memory allocation flaw, classified as CWE-1285.

Affected Systems

Affected software is the Linux kernel itself. All kernel releases prior to the patch that implements commit 646b67d57589 and clamps vmemmap_shift to MAX_FOLIO_ORDER are vulnerable. No specific downstream product line is listed, so all distributions that ship an unpatched kernel are at risk.

Risk and Exploitability

The CVSS score is not disclosed and the EPSS score is unavailable, indicating that public exploitation data is currently unknown. The vulnerability requires the ability to invoke MSHV_ADD_VTL0_MEMORY, which typically implies privileged or root access to the kernel, making it a local‑privilege problem. Because the defect leads to a predictable failure rather than a complex attack chain, the overall risk can be considered moderate at present. The lack of a KEV listing and the absence of known public exploits suggest that the likelihood of immediate exploitation is low, but organizations should still anticipate corrective action if custom hypervisor code interacts with this interface.

Generated by OpenCVE AI on May 9, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the latest MSHV memory registration patch from commit 646b67d57589, ensuring vmemmap_shift is clamped to MAX_FOLIO_ORDER.
  • Confirm that any custom scripting or tools that call MSHV_ADD_VTL0_MEMORY are updated to handle the –EINVAL return value and do not assume a successful mapping.
  • If an immediate kernel upgrade is not possible, monitor the hypervisor’s memory initialization logs for WARN messages and prepare to redeploy or restart affected services once the fix is available.

Generated by OpenCVE AI on May 9, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER When registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel computes pgmap->vmemmap_shift as the number of trailing zeros in the OR of start_pfn and last_pfn, intending to use the largest compound page order both endpoints are aligned to. However, this value is not clamped to MAX_FOLIO_ORDER, so a sufficiently aligned range (e.g. physical range [0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000 with 35 trailing zeros) can produce a shift larger than what memremap_pages() accepts, triggering a WARN and returning -EINVAL: WARNING: ... memremap_pages+0x512/0x650 requested folio size unsupported The MAX_FOLIO_ORDER check was added by commit 646b67d57589 ("mm/memremap: reject unreasonable folio/compound page sizes in memremap_pages()"). Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always request the largest order the kernel supports, in those cases, rather than an out-of-range value. Also fix the error path to propagate the actual error code from devm_memremap_pages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return.
Title mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:41:51.909Z

Reserved: 2026-05-01T14:12:56.003Z

Link: CVE-2026-43348

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:44.890

Modified: 2026-05-08T14:16:44.890

Link: CVE-2026-43348

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43348 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:30:24Z

Weaknesses