1. Home
  2. Vulnerabilities
  3. CVE-2026-23100
5.5
MEDIUM CVSS 3.1
CVE-2026-23100
mm/hugetlb: fix hugetlb_pmd_shared()
Overview
Description

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().

Details
INFO

Published Date :

Feb. 4, 2026, 5:16 p.m.

Last Modified :

March 25, 2026, 11:16 a.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Impact
Affected Products

The following products are affected by CVE-2026-23100 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
Solution
Update the Linux kernel to fix memory corruption issues related to hugetlb page table sharing.
  • Apply the provided patch series to the Linux kernel.
  • Update the kernel to a version containing these fixes.
  • Compile and install the updated kernel.
  • Reboot the system to apply the changes.
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-23100.

URL Resource
https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e Patch
https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5 Patch
https://git.kernel.org/stable/c/5b2aec77f92265a9028c5f632bdd9af5b57ec3a3
https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf Patch
https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 Patch
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-23100 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-23100 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-23100 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-23100 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Mar. 25, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/5b2aec77f92265a9028c5f632bdd9af5b57ec3a3
  • Initial Analysis by [email protected]

    Mar. 20, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE NVD-CWE-noinfo
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.239 up to (excluding) 5.11 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.186 up to (excluding) 5.16 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.142 up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12.9 up to (excluding) 6.12.74 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13.1 up to (excluding) 6.18.8 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.72 up to (excluding) 6.6.127
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 Types: Patch
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Feb. 19, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e
    Added Reference https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Feb. 04, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
    Added Reference https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf
    Added Reference https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 5.5
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact