CVE-2026-23100 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix hugetlb_pmd_shared()

Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3.

One functional fix, one performance regression fix, and two related comment fixes.

I cleaned up my prototype I recently shared [1] for the performance fix,
deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things.

The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4.

Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit().

The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated

There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series.

Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86.


This patch (of 4):

We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing.

We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table.

Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface.

Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/03/2026

The vulnerability described in CVE-2026-23100 resides within the Linux kernel's huge page table management subsystem, specifically addressing issues in the hugetlb_pmd_shared() function. This flaw impacts the kernel's ability to accurately detect shared page table mappings, creating potential inconsistencies in memory management operations and system security posture. The vulnerability stems from a fundamental mismatch between the reference counting mechanism used for tracking shared page tables and the actual detection logic within the hugetlb subsystem.

The technical root cause involves the transition from using page reference counts to an independent shared count mechanism for tracking page table sharing. Prior to this fix, the system incorrectly relied on page counts to determine sharing status, which led to scenarios where shared PMD tables were never properly detected. This misidentification occurs because the refcount mechanism for shared page tables now maintains a value of 1 (excluding speculative references) while the actual sharing detection relies on ptdesc->pt_share_count. The function hugetlb_pmd_shared() was not updated to utilize the new ptdesc_pmd_is_shared() interface, resulting in a complete failure to recognize shared PMD tables.

This vulnerability creates significant operational impacts across multiple system components and memory management operations. Page migration operations including mbind() and migrate_pages() can now incorrectly migrate folios mapped into shared PMD tables, despite these folios not being exclusive. The system's accounting in smaps would incorrectly categorize shared memory regions as private, leading to inaccurate memory reporting and potential resource allocation issues. Additionally, the pagemap interface would incorrectly set PM_MMAP_EXCLUSIVE flags, which could affect applications relying on accurate memory mapping information for security policies and resource management decisions.

The vulnerability manifests primarily in scenarios involving fork() and exit() operations where excessive IPI broadcasts occur due to improper TLB flush handling during memory management transitions. This creates performance degradation issues that can be particularly problematic in high-concurrency environments. The fix addresses this by properly implementing the ptdesc_pmd_is_shared() function within hugetlb_pmd_shared(), ensuring accurate detection of shared PMD tables while maintaining compatibility with existing kernel interfaces and stable tree backporting requirements. The patch series specifically targets performance regression issues while maintaining functional correctness, with the final patch focusing on TLB flushes, IPI handling, and mmu_gather operations that are critical for memory management consistency.

From a cybersecurity perspective, this vulnerability aligns with CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow) categories, as improper sharing detection could lead to memory corruption or incorrect access patterns. The ATT&CK framework considerations include T1059 (Command and Scripting Interpreter) and T1068 (Exploitation for Privilege Escalation) where improper memory management could create opportunities for privilege escalation or denial of service attacks. The vulnerability affects systems running Linux kernel versions where huge page table sharing is enabled, particularly impacting server environments where memory-intensive applications and virtualization workloads are common. Proper mitigation requires updating to patched kernel versions and implementing monitoring for anomalous memory management behaviors that could indicate the vulnerability's exploitation.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00114

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!