CVE-2026-46017 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

mm: fix deferred split queue races during migration

migrate_folio_move() records the deferred split queue state from src and
replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0)
makes dst visible before it is requeued, so a concurrent rmap-removal path
can mark dst partially mapped and trip the WARN in deferred_split_folio().

Move the requeue before remove_migration_ptes() so dst is back on the
deferred split queue before it becomes visible again.

Because migration still holds dst locked at that point, teach
deferred_split_scan() to requeue a folio when folio_trylock() fails.
Otherwise a fully mapped underused folio can be dequeued by the shrinker
and silently lost from split_queue.

[ziy@nvidia.com: move the comment]

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A concurrency bug in the Linux kernel’s memory migration path allows a destination page to be made visible before it is correctly re‑queued on the deferred split queue. The race can trigger WARN messages in deferred_split_folio() and may silently discard fully mapped, under‑used pages, potentially causing kernel memory corruption or loss of pages. The flaw is a classic race condition (CWE‑362) involving improper synchronization between migration and split queue handling.

Affected Systems

All Linux kernel releases that do not include commit 3bac01168982ec3e3bf87efdc1807c7933590a85 (or later) are affected. This affects every Linux distribution that ships a kernel prior to that commit, regardless of vendor or distribution name.

Risk and Exploitability

The CVSS score is not disclosed and the EPSS value is unavailable; the vulnerability is not listed in CISA’s KEV catalogue. Exploitation would require local or root privileges to trigger a memory migration race. While it is unlikely to be leveraged remotely without local access, systems that cannot be upgraded face a moderate to high risk of instability or memory corruption if the race is triggered.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 3bac01168982ec3e3bf87efdc1807c7933590a85
`0`	affected	< 7.0.4

Linux

affected

Version	Status	Constraints
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates commit 3bac01168982ec3e3bf87efdc1807c7933590a85 or later.
Restart the system after the kernel update to ensure the new version is active.
If upgrading is not immediately possible, monitor kernel logs for WARN messages related to deferred split queue races and limit memory migration activity via relevant kernel parameters (e.g., adjusting migratepages or vm.nr_hugepages).

Generated by OpenCVE AI on May 27, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3bac01168982ec3e3bf87efdc1807c7933590a85
https://git.kernel.org/stable/c/cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa

History

Wed, 27 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [ziy@nvidia.com: move the comment]
Title		mm: fix deferred split queue races during migration
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3bac01168982ec3e3bf87efdc1807c7933590a85 https://git.kernel.org/stable/c/cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:18.800Z

Updated: 2026-05-27T12:56:18.800Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46017

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:20.133

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object