CVE-2026-23097

MEDIUM EPSS 1.8%
Published Feb 4, 20264mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock! The migration path is the one taking locks in the wrong order according to the documentation at the top of mm/rmap.c. So expand the scope of the existing i_mmap_lock to cover the calls to remove_migration_ptes() too. This is (mostly) how it used to be after commit c0d0381ade79. That was removed by 336bf30eb765 for both file & anon hugetlb pages when it should only have been removed for anon hugetlb pages.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 18

VendorProductVersionRange
linuxlinux_kernel*≥5.9.9  –  <5.10
linuxlinux_kernel*≥5.10.1  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel5.10any
linuxlinux_kernel5.10any
linuxlinux_kernel5.10any
linuxlinux_kernel5.10any
linuxlinux_kernel5.10any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394
    Patch