Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53154— mm/hugetlb: restore reservation on error in hugetlb folio copy paths

AI Predicted 4.3 Difficulty: Trivial EPSS 0.12% · P2

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinux1cb9dc4b475c7418f925ab0c97b6750007d9f52e< 8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38affected
1cb9dc4b475c7418f925ab0c97b6750007d9f52e< e47bf16af3c45470ea32f2241fa69aefe0dd61bdaffected
1cb9dc4b475c7418f925ab0c97b6750007d9f52e< c72469ac0f274bde3f0df60a4584e14a123d0aa6affected
1cb9dc4b475c7418f925ab0c97b6750007d9f52e< 45e33d43243d71d089af42f5077b8213cee6610faffected
1cb9dc4b475c7418f925ab0c97b6750007d9f52e< 40c81856e622a9dc59294a90d169ac07ea25b0b0affected
6.4affected
< 6.4unaffected
6.6.143≤ 6.6.*unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53154

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
mm/hugetlb: restore reservation on error in hugetlb folio copy paths
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: restore reservation on error in hugetlb folio copy paths Two sites in mm/hugetlb.c allocate a hugetlb folio via alloc_hugetlb_folio() (consuming a VMA reservation) and then call copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults") and can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the failure path, folio_put() restores the global hugetlb pool count through free_huge_folio(), but the per-VMA reservation map entry is left marked consumed: - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY) - copy_hugetlb_page_range() fork-time CoW path when hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon folio under fork) User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the resubmission copy fails, the reservation for that address is leaked from the VMA's reserve map. A subsequent fault at the same address takes the no-reservation path, and under hugetlb pool pressure the task is SIGBUSed at an address it had previously reserved. The fork-time CoW path leaks the same way in the child VMA's reserve map, though it requires the much rarer combination of pinned hugetlb anon page + hwpoisoned source. Add the missing restore_reserve_on_error() call before folio_put() on both error paths.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel 6.4版本存在安全漏洞,该漏洞源于mm/hugetlb.c中的hugetlb folio复制路径在错误时未恢复预留,可能导致通过UFFDIO_COPY或fork时CoW路径泄露VMA预留映射中的预留,后续同一地址的缺页错误可能因hugetlb池压力导致任务收到SIGBUS信号。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1cb9dc4b475c7418f925ab0c97b6750007d9f52e ~ 8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38 -
LinuxLinux 6.4 -

II. Public POCs for CVE-2026-53154

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53154

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53154 (5)

Same Patch Batch · Linux · 2026-06-25 · 146 CVEs total

CVE-2026-532289.8 CRITICALipv6: sit: reload inner IPv6 header after GSO offloads
CVE-2026-532479.8 CRITICALnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
CVE-2026-531519.8 CRITICALrxrpc: Fix the ACK parser to extract the SACK table for parsing
CVE-2026-532469.8 CRITICALsctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
CVE-2026-532609.8 CRITICALtcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().
CVE-2026-531759.8 CRITICALinet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
CVE-2026-531769.8 CRITICALIB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
CVE-2026-532219.8 CRITICALip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
CVE-2026-532159.8 CRITICALnet: mvpp2: refill RX buffers before XDP or skb use
CVE-2026-532169.8 CRITICALnet: mvpp2: limit XDP frame size to the RX buffer
CVE-2026-531319.4 CRITICALnetfilter: require Ethernet MAC header before using eth_hdr()
CVE-2026-532259.1 CRITICALsctp: fix uninit-value in __sctp_rcv_asconf_lookup()
CVE-2026-531869.1 CRITICALRDMA/srp: bound SRP_RSP sense copy by the received length
CVE-2026-532249.1 CRITICALsctp: validate embedded INIT chunk and address list lengths in cookie
CVE-2026-531718.8 HIGHaccel/ethosu: fix arithmetic issues in dma_length()
CVE-2026-532488.8 HIGHnet: airoha: Fix use-after-free in metadata dst teardown
CVE-2026-532408.8 HIGHxfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
CVE-2026-531988.8 HIGHksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
CVE-2026-531888.8 HIGHRDMA/core: Validate the passed in fops for ib_get_ucaps()
CVE-2026-531708.8 HIGHaccel/ethosu: reject DMA commands with uninitialized length

Showing top 20 of 146 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53154

No comments yet


Leave a comment