Description
In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: restore reservation on error in hugetlb folio copy paths

Two sites in mm/hugetlb.c allocate a hugetlb folio via
alloc_hugetlb_folio() (consuming a VMA reservation) and then call
copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c
("mm: hwpoison: support recovery from HugePage copy-on-write faults") and
can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the
failure path, folio_put() restores the global hugetlb pool count through
free_huge_folio(), but the per-VMA reservation map entry is left marked
consumed:

- hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
- copy_hugetlb_page_range() fork-time CoW path when
hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon
folio under fork)

User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the
resubmission copy fails, the reservation for that address is leaked from
the VMA's reserve map. A subsequent fault at the same address takes the
no-reservation path, and under hugetlb pool pressure the task is SIGBUSed
at an address it had previously reserved. The fork-time CoW path leaks
the same way in the child VMA's reserve map, though it requires the much
rarer combination of pinned hugetlb anon page + hwpoisoned source.

Add the missing restore_reserve_on_error() call before folio_put() on both
error paths.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A fault in the Linux kernel’s huge page handling code leaves a per‑VMA reservation map marked as consumed when a copy operation on a hugetlb folio fails, such as when the source page is hwpoisoned. This issue is a CWE-772 flaw (Missing Release of Resource after Failure); because the reservation is never restored, the memory address space within that VMA retains an unavailable reservation. A later fault on the same address follows a path that ignores the leaked reservation and, under hugetlb pool pressure, can cause the task to receive a SIGBUS, effectively terminating it or corrupting its execution.

Affected Systems

All Linux kernel installations that have not yet incorporated the patch adding restore_reserve_on_error(), regardless of distribution or kernel version. No version‑specific information is provided, so any kernel prior to the patch is considered affected.

Risk and Exploitability

This is a kernel‑level denial of service flaw that requires a successful huge page copy operation to trigger. Because the EPSS score is low (< 1%) and the vulnerability is not listed in CISA’s KEV catalog, exploitation of this bug is not widely documented. Nevertheless, the impact—forced SIGBUS due to workloads heavily reliant on huge pages under memory pressure—can terminate the affected process. The risk is amplified when an application uses UFFDIO_COPY into a private huge page VMA or triggers the rare fork‑time copy‑on‑write path, causing the leaked reservation to be reused and potentially terminating the task. The CVSS score of 5.5 indicates moderate severity.

Generated by OpenCVE AI on June 26, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that includes the restore_reserve_on_error() fix (commit 1cb9dc4b475c).
  • If an immediate upgrade is not feasible, reduce hugetlb usage or adjust the hugetlb pool configuration to lower pressure, and monitor system logs for abnormal SIGBUS events that may indicate the bug is triggering.
  • When possible, temporarily disable the problematic huge page copy‑on‑write paths or apply a backport patch that restores reservations on error.

Generated by OpenCVE AI on June 26, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-401

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-401

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: restore reservation on error in hugetlb folio copy paths Two sites in mm/hugetlb.c allocate a hugetlb folio via alloc_hugetlb_folio() (consuming a VMA reservation) and then call copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults") and can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the failure path, folio_put() restores the global hugetlb pool count through free_huge_folio(), but the per-VMA reservation map entry is left marked consumed: - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY) - copy_hugetlb_page_range() fork-time CoW path when hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon folio under fork) User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the resubmission copy fails, the reservation for that address is leaked from the VMA's reserve map. A subsequent fault at the same address takes the no-reservation path, and under hugetlb pool pressure the task is SIGBUSed at an address it had previously reserved. The fork-time CoW path leaks the same way in the child VMA's reserve map, though it requires the much rarer combination of pinned hugetlb anon page + hwpoisoned source. Add the missing restore_reserve_on_error() call before folio_put() on both error paths.
Title mm/hugetlb: restore reservation on error in hugetlb folio copy paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:38.168Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53154

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53154 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:00:04Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime