Description
In the Linux kernel, the following vulnerability has been resolved:

mm: fix deferred split queue races during migration

migrate_folio_move() records the deferred split queue state from src and
replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0)
makes dst visible before it is requeued, so a concurrent rmap-removal path
can mark dst partially mapped and trip the WARN in deferred_split_folio().

Move the requeue before remove_migration_ptes() so dst is back on the
deferred split queue before it becomes visible again.

Because migration still holds dst locked at that point, teach
deferred_split_scan() to requeue a folio when folio_trylock() fails.
Otherwise a fully mapped underused folio can be dequeued by the shrinker
and silently lost from split_queue.

[ziy@nvidia.com: move the comment]
Published: 2026-05-27
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A concurrency bug in the Linux kernel’s memory migration path allows a destination page to be made visible before it is correctly re‑queued on the deferred split queue. The race can trigger WARN messages in deferred_split_folio() and may silently discard fully mapped, under‑used pages, potentially causing kernel memory corruption or loss of pages. The flaw is a classic race condition (CWE‑362) involving improper synchronization between migration and split queue handling, and it also exemplifies a lost updates race (CWE‑367).

Affected Systems

All Linux kernel releases that do not include commit 3bac01168982ec3e3bf87efdc1807c7933590a85 (or later) are affected. This affects every Linux distribution that ships a kernel prior to that commit, regardless of vendor or distribution name.

Risk and Exploitability

The CVSS score is 7.0 and the EPSS value is unavailable; the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require a local or privileged context, but the CVE data does not explicitly state the required privilege level. Although it may be difficult to leverage remotely, systems that cannot upgrade may face a moderate to high risk of instability or memory corruption if the race is triggered.

Generated by OpenCVE AI on May 28, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates commit 3bac01168982ec3e3bf87efdc1807c7933590a85 or later.
  • Restart the system after the kernel update to ensure the new version is active.
  • If upgrading is not immediately possible, monitor kernel logs for WARN messages related to deferred split queue races and limit memory migration activity via relevant kernel parameters (e.g., adjusting migratepages or vm.nr_hugepages).

Generated by OpenCVE AI on May 28, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [ziy@nvidia.com: move the comment]
Title mm: fix deferred split queue races during migration
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:14.283Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46017

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.133

Modified: 2026-06-16T15:23:49.020

Link: CVE-2026-46017

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46017 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:30:04Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition