{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-03T16:06:53.007","vulnerabilities":[{"cve":{"id":"CVE-2026-23100","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-04T17:16:20.880","lastModified":"2026-04-18T09:16:13.703","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl.  using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that's all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount.  Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc->pt_share_count to identify\nsharing.\n\nWe didn't convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive.  In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared()."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmm/hugetlb: corregir hugetlb_pmd_shared()\n\nSerie de parches 'mm/hugetlb: correcciones para el uso compartido de tablas PMD (incl. el uso de mmu_gather)', v3.\n\nUna corrección funcional, una corrección de regresión de rendimiento y dos correcciones de comentarios relacionadas.\n\nLimpié mi prototipo que compartí recientemente [1] para la corrección de rendimiento, aplazando la mayoría de las limpiezas que tenía en el prototipo para un momento posterior. Mientras hacía eso, identifiqué las otras cosas.\n\nEl objetivo de este conjunto de parches es ser retroportado a árboles estables \"bastante\" fácilmente. Al menos el parche #1 y #4.\n\nEl parche #1 corrige que hugetlb_pmd_shared() no detecte ningún uso compartido.\nEl parche #2 + #3 son simples correcciones de comentarios con las que el parche #4 interactúa.\nEl parche #4 es una corrección para la regresión de rendimiento reportada debido a transmisiones IPI excesivas durante fork()+exit().\n\nEl último parche trata sobre vaciados de TLB, IPIs y mmu_gather.\nLéase: complicado\n\nHay muchas limpiezas por hacer en el futuro + una optimización razonable en x86. Pero todo eso está fuera del alcance de esta serie.\n\nProbado en tiempo de ejecución, con un enfoque en corregir la regresión de rendimiento usando el reproductor original [2] en x86.\n\nEste parche (de 4):\n\nCambiamos de usar (erróneamente) el recuento de páginas a un recuento compartido independiente. Ahora, las tablas de páginas compartidas tienen un refcount de 1 (excluyendo referencias especulativas) y en su lugar usan ptdesc-&gt;pt_share_count para identificar el uso compartido.\n\nNo convertimos hugetlb_pmd_shared(), así que ahora mismo, nunca detectaríamos una tabla PMD compartida como tal, porque compartir/dejar de compartir ya no afecta el refcount de una tabla PMD.\n\nLa migración de páginas, como mbind() o migrate_pages(), permitiría migrar folios mapeados en dichas tablas PMD compartidas, aunque los folios no sean exclusivos. En smaps los contabilizaríamos como \"privados\" aunque sean \"compartidos\", y estaríamos configurando erróneamente el PM_MMAP_EXCLUSIVE en la interfaz pagemap.\n\nCorregirlo usando correctamente ptdesc_pmd_is_shared() en hugetlb_pmd_shared()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.239","versionEndExcluding":"5.11","matchCriteriaId":"6B462A12-1313-443F-A4AD-497D3E94D030"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.186","versionEndExcluding":"5.16","matchCriteriaId":"0A14ADC6-011A-46D0-A322-43C2517D1E11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.142","versionEndExcluding":"6.2","matchCriteriaId":"2382297A-0991-403C-B3BE-E14D6ACDF1AA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.72","versionEndExcluding":"6.6.127","matchCriteriaId":"97B4F548-197A-4ED6-BBAA-A5DDE4C23486"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.9","versionEndExcluding":"6.12.74","matchCriteriaId":"1863CA93-1652-44FD-9A0D-75DB28F5318F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.1","versionEndExcluding":"6.18.8","matchCriteriaId":"DABFB8C1-7DE1-44E5-A929-BC67ABA89E0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*","matchCriteriaId":"5A3F9505-6B98-4269-8B81-127E55A1BF00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*","matchCriteriaId":"8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*","matchCriteriaId":"5DFCDFB8-4FD0-465A-9076-D813D78FE51B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5b2aec77f92265a9028c5f632bdd9af5b57ec3a3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8ae48255bcb17b32436be97553dca848730d365f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bf3c2affe245cf831866ddc8f736ae6a22cdc11c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}