Description
In the Linux kernel, the following vulnerability has been resolved:

mm/memfd_luo: fix physical address conversion in put_folios cleanup

In memfd_luo_retrieve_folios()'s put_folios cleanup path:

1. kho_restore_folio() expects a phys_addr_t (physical address) but
receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to
check the wrong physical address (pfn << PAGE_SHIFT instead of the
actual physical address).

2. This loop lacks the !pfolio->pfn check that exists in the main
retrieval loop and memfd_luo_discard_folios(), which could
incorrectly process sparse file holes where pfn=0.

Fix by converting PFN to physical address with PFN_PHYS() and adding
the !pfolio->pfn check, matching the pattern used elsewhere in this file.

This issue was identified by the AI review.
https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During the memfd_luo memory retrieval cleanup path, the kernel function kho_restore_folio() expects a physical address value, yet it receives a raw page frame number (PFN). Because of this mismatch, the subsequent kho_restore_page() call computes an incorrect physical address by shifting the PFN instead of using the actual physical address. This logic flaw, combined with the omission of a guard that checks for a zero PFN in sparse file holes, means the kernel might process invalid memory references or attempt to restore pages that do not exist. If an attacker can trigger this code path, they could cause memory corruption or a crash, leading to loss of data integrity or a denial of service.

Affected Systems

The bug resides in the Linux kernel’s memory handling layer. All systems running the vanilla Linux kernel or derivatives that include the unmodified memfd_luo implementation are affected. The data set does not enumerate specific kernel version numbers, so any build that has not yet been updated with the patch that corrects the PFN-to-physical address conversion is vulnerable.

Risk and Exploitability

While CVSS and EPSS metrics are unavailable and the vulnerability is not listed in CISA's KEV catalog, the flaw touches low‑level kernel memory management. Exploitation would likely require local privilege or a prior vulnerability that grants kernel‑mode execution. Because the bug can introduce memory corruption or a panic, its severity could be high if an attacker can exercise the affected code path. Administrators should treat this as a priority update, given the potential impact on system stability and data integrity.

Generated by OpenCVE AI on May 27, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the commit 3538f90ab88… or apply the patch from the referenced Git commit to convert PFNs to physical addresses and add the missing guard.
  • If a full kernel upgrade is not immediately possible, apply the patch manually by cherry‑picking the commit or applying the patch file available at the provided Git link, ensuring the changes are merged into the running kernel source before recompilation.
  • As a temporary mitigation, restrict the creation of memfd objects to trusted users or processes and audit for any suspicious memfd usage; this reduces the likelihood that an attacker can exercise the vulnerable cleanup path until the kernel is patched.

Generated by OpenCVE AI on May 27, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-405
CWE-59

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/memfd_luo: fix physical address conversion in put_folios cleanup In memfd_luo_retrieve_folios()'s put_folios cleanup path: 1. kho_restore_folio() expects a phys_addr_t (physical address) but receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to check the wrong physical address (pfn << PAGE_SHIFT instead of the actual physical address). 2. This loop lacks the !pfolio->pfn check that exists in the main retrieval loop and memfd_luo_discard_folios(), which could incorrectly process sparse file holes where pfn=0. Fix by converting PFN to physical address with PFN_PHYS() and adding the !pfolio->pfn check, matching the pattern used elsewhere in this file. This issue was identified by the AI review. https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn
Title mm/memfd_luo: fix physical address conversion in put_folios cleanup
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:15.236Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46013

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:19.517

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses