Description
In the Linux kernel, the following vulnerability has been resolved:

mm/memfd_luo: fix physical address conversion in put_folios cleanup

In memfd_luo_retrieve_folios()'s put_folios cleanup path:

1. kho_restore_folio() expects a phys_addr_t (physical address) but
receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to
check the wrong physical address (pfn << PAGE_SHIFT instead of the
actual physical address).

2. This loop lacks the !pfolio->pfn check that exists in the main
retrieval loop and memfd_luo_discard_folios(), which could
incorrectly process sparse file holes where pfn=0.

Fix by converting PFN to physical address with PFN_PHYS() and adding
the !pfolio->pfn check, matching the pattern used elsewhere in this file.

This issue was identified by the AI review.
https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The cleanup path in memfd_luo expects a physical address but receives a raw PFN, causing kho_restore_page() to compute an incorrect physical address. Additionally the loop lacks a guard that checks for a zero PFN, so sparse file holes could be processed with a pfn equal to zero. This mismatch can lead to the kernel accessing invalid memory, potentially corrupting kernel data or causing a crash.

Affected Systems

All Linux kernel builds that include the unpatched memfd_luo implementation are affected. The CPE list indicates any Linux kernel variant; no specific kernel version is mentioned in the CVE data, so any system running a kernel without the fix commit is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The description indicates that if the memfd_luo cleanup path is executed, the kernel will restore a page using an incorrect physical address, which can corrupt kernel memory or cause a crash. The attack vector is not explicitly documented, but it is inferred to be reachable during normal use of memfd objects, so the risk centers on potential kernel instability rather than widespread exploitation.

Generated by OpenCVE AI on June 17, 2026 at 23:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch corresponding to commit 3538f90ab89aaf302782b4b073a0aae66904cd67, which corrects the PFN‑to‑physical conversion and adds the missing guard.
  • If a full kernel upgrade is not immediately possible, cherry‑pick the commit or apply the patch from the cited Git commit into the current kernel source and rebuild the kernel.
  • As a temporary measure, limit memfd object creation to privileged users or restrict usage via kernel parameters or SELinux policies to reduce the chance of the vulnerable cleanup path being invoked.

Generated by OpenCVE AI on June 17, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8488-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8489-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8488-2 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8507-1 Linux kernel (NVIDIA) vulnerabilities
History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-405
CWE-59

Thu, 28 May 2026 00:15:00 +0000


Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-405
CWE-59

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/memfd_luo: fix physical address conversion in put_folios cleanup In memfd_luo_retrieve_folios()'s put_folios cleanup path: 1. kho_restore_folio() expects a phys_addr_t (physical address) but receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to check the wrong physical address (pfn << PAGE_SHIFT instead of the actual physical address). 2. This loop lacks the !pfolio->pfn check that exists in the main retrieval loop and memfd_luo_discard_folios(), which could incorrectly process sparse file holes where pfn=0. Fix by converting PFN to physical address with PFN_PHYS() and adding the !pfolio->pfn check, matching the pattern used elsewhere in this file. This issue was identified by the AI review. https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn
Title mm/memfd_luo: fix physical address conversion in put_folios cleanup
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:59.320Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46013

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:19.517

Modified: 2026-06-17T10:52:53.950

Link: CVE-2026-46013

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:45:14Z

Weaknesses