Description
In the Linux kernel, the following vulnerability has been resolved:

mm/memfd_luo: fix physical address conversion in put_folios cleanup

In memfd_luo_retrieve_folios()'s put_folios cleanup path:

1. kho_restore_folio() expects a phys_addr_t (physical address) but
receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to
check the wrong physical address (pfn << PAGE_SHIFT instead of the
actual physical address).

2. This loop lacks the !pfolio->pfn check that exists in the main
retrieval loop and memfd_luo_discard_folios(), which could
incorrectly process sparse file holes where pfn=0.

Fix by converting PFN to physical address with PFN_PHYS() and adding
the !pfolio->pfn check, matching the pattern used elsewhere in this file.

This issue was identified by the AI review.
https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The cleanup path in memfd_luo expects a physical address but receives a raw PFN, causing kho_restore_page() to compute an incorrect physical address. Additionally the loop lacks a guard that checks for a zero PFN, so sparse file holes could be processed with a pfn equal to zero. This mismatch can lead to the kernel accessing invalid memory, potentially corrupting kernel data or causing a crash.

Affected Systems

All Linux kernel builds that include the unpatched memfd_luo implementation are affected. The CPE list indicates any Linux kernel variant; no specific kernel version is mentioned in the CVE data, so any system running a kernel without the fix commit is vulnerable.

Risk and Exploitability

No CVSS or EPSS metric is available and the vulnerability is not listed in C KEV. The description indicates that the flaw could cause kernel memory corruption or a crash if the cleanup path is executed. The exact means of triggering the vulnerability are not described in the CVE data, so the attack vector remains unspecified. Provided the affected code path can be reached, the issue could have a high impact on kernel stability and data integrity.

Generated by OpenCVE AI on May 28, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch corresponding to commit 3538f90ab89aaf302782b4b073a0aae66904cd67, which corrects the PFN‑to‑physical conversion and adds the missing guard.
  • If a full kernel upgrade is not immediately possible, cherry‑pick the commit or apply the patch from the cited Git commit into the current kernel source and rebuild the kernel.
  • As a temporary measure, limit memfd object creation to privileged users or restrict usage via kernel parameters or SELinux policies to reduce the chance of the vulnerable cleanup path being invoked.

Generated by OpenCVE AI on May 28, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-405
CWE-59

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
References

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-405
CWE-59

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/memfd_luo: fix physical address conversion in put_folios cleanup In memfd_luo_retrieve_folios()'s put_folios cleanup path: 1. kho_restore_folio() expects a phys_addr_t (physical address) but receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to check the wrong physical address (pfn << PAGE_SHIFT instead of the actual physical address). 2. This loop lacks the !pfolio->pfn check that exists in the main retrieval loop and memfd_luo_discard_folios(), which could incorrectly process sparse file holes where pfn=0. Fix by converting PFN to physical address with PFN_PHYS() and adding the !pfolio->pfn check, matching the pattern used elsewhere in this file. This issue was identified by the AI review. https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn
Title mm/memfd_luo: fix physical address conversion in put_folios cleanup
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:59.320Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46013

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:19.517

Modified: 2026-06-16T15:24:54.590

Link: CVE-2026-46013

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T06:15:10Z

Weaknesses