目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%

CVE-2026-53155— Linux kernel 安全漏洞

AI Predicted 7.8 Difficulty: Moderate EPSS 0.11% · P1

Affected Version Matrix 6

ベンダープロダクトVersion Rangeステータス
LinuxLinux65edfda6f3f2e58f757485a056e4f1775a1404a8< d7251c8d3f7cea76543abac6cf4ed15582c10846affected
65edfda6f3f2e58f757485a056e4f1775a1404a8< 43e7f189769c512c843184a8a5892ac779a6bd90affected
6.19affected
< 6.19unaffected
7.0.13≤ 7.0.*unaffected
7.1≤ *unaffected
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2026-53155の基本情報

脆弱性情報

脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
mm/huge_memory: use correct flags for device private PMD entry
ソース: NVD (National Vulnerability Database)
脆弱性説明
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: use correct flags for device private PMD entry Commit 65edfda6f3f2 ("mm/rmap: extend rmap and migration support device-private entries") updated set_pmd_migration_entry() to use pmdp_huge_get_and_clear() in the softleaf case, but made no further adjustments to the function itself. Therefore this function continues to incorrectly use pmd_write(), pmd_soft_dirty() and pmd_uffd_wp() to determine whether the installed migration entry should be marked writable, softdirty or uffd-wp respectively. Whilst all are incorrect, the most problematic of these is pmd_write(), as this can lead to corrupted rmap state. On x86-64 _PAGE_SWP_SOFT_DIRTY is aliased to _PAGE_RW. So calling pmd_write() on a softleaf will return the softdirty state encoded in the entry, assuming CONFIG_MEM_SOFT_DIRTY was enabled. This was observed when running the hmm.hmm_device_private.anon_write_child selftest: 1. The test faults in a range then migrates it such that a device-private THP range is established. 2. The parent then migrates it to a device-private writable PMD entry whose folio is entirely AnonExclusive with entire_mapcount=1, softdirty set (accidentally correct write state). 3. The parent forks and the PMD entries are set to device-private read only entries, entire_mapcount=2, softdirty still set. 4. [BUG] The child writes to the range then migrates to RAM - intending to install non-writable migration entries - but replacing parent and child PMD mappings with WRITABLE entries due to misinterpreting the softdirty bit. 5. In remove_migration_pmd(), if !softleaf_is_migration_read(entry) we set the RMAP_EXCLUSIVE flag when calling folio_add_anon_rmap_pmd() for both parent and child, which are therefore AnonExclusive. 6. [SPLAT] Child sets migrated folio entire_mapcount=1, parent sets entire_mapcount=2 and we end up with an AnonExclusive folio with entire_mapcount=2! Assert fires in __folio_add_anon_rmap(): VM_WARN_ON_FOLIO(folio_test_large(folio) && folio_entire_mapcount(folio) > 1 && PageAnonExclusive(cur_page), folio) This patch fixes the issue by correctly referencing the softleaf entry fields for writable, softdirty and uffd-wp in set_pmd_migration_entry(). It also only updates A/D flags if the entry is present as these are otherwise not meaningful for a softleaf entry. This patch also flips the if (!present) { ... } else { ... } logic in set_pmd_migration_entry() so it is easier to understand, and adds some comments to make things clearer. I was able to bisect this to commit 775465fd26a3 ("lib/test_hmm: add zone device private THP test infrastructure") which first exposes this bug as it was the commit that permitted test_hmm to generate the test. However commit 65edfda6f3f2 ("mm/rmap: extend rmap and migration support device-private entries") is the commit that actually enabled this behaviour.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Linux kernel 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel 6.19版本存在安全漏洞,该漏洞源于在set_pmd_migration_entry()函数中错误使用了pmd_write()、pmd_soft_dirty()和pmd_uffd_wp()标志,导致设备私有PMD条目迁移时rmap状态被破坏,可能导致权限提升。以下版本受到影响:6.19版本。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
LinuxLinux 65edfda6f3f2e58f757485a056e4f1775a1404a8 ~ d7251c8d3f7cea76543abac6cf4ed15582c10846 -
LinuxLinux 6.19 -

II. CVE-2026-53155の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2026-53155のインテリジェンス情報

登录查看更多情报信息。

CVE-2026-53155 补丁与修复 (2)

Same Patch Batch · Linux · 2026-06-25 · 146 CVEs total

CVE-2026-532289.8 CRITICALipv6: sit: reload inner IPv6 header after GSO offloads
CVE-2026-532479.8 CRITICALnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
CVE-2026-531519.8 CRITICALrxrpc: Fix the ACK parser to extract the SACK table for parsing
CVE-2026-532469.8 CRITICALsctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
CVE-2026-532609.8 CRITICALtcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().
CVE-2026-531759.8 CRITICALinet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
CVE-2026-531769.8 CRITICALIB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
CVE-2026-532219.8 CRITICALip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
CVE-2026-532159.8 CRITICALnet: mvpp2: refill RX buffers before XDP or skb use
CVE-2026-532169.8 CRITICALnet: mvpp2: limit XDP frame size to the RX buffer
CVE-2026-531319.4 CRITICALnetfilter: require Ethernet MAC header before using eth_hdr()
CVE-2026-532259.1 CRITICALsctp: fix uninit-value in __sctp_rcv_asconf_lookup()
CVE-2026-531869.1 CRITICALRDMA/srp: bound SRP_RSP sense copy by the received length
CVE-2026-532249.1 CRITICALsctp: validate embedded INIT chunk and address list lengths in cookie
CVE-2026-531718.8 HIGHaccel/ethosu: fix arithmetic issues in dma_length()
CVE-2026-532488.8 HIGHnet: airoha: Fix use-after-free in metadata dst teardown
CVE-2026-532408.8 HIGHxfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
CVE-2026-531988.8 HIGHksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
CVE-2026-531888.8 HIGHRDMA/core: Validate the passed in fops for ib_get_ucaps()
CVE-2026-531708.8 HIGHaccel/ethosu: reject DMA commands with uninitialized length

Showing 20 of 146 CVEs. View all on vendor page →

IV. 関連脆弱性

V. CVE-2026-53155へのコメント

まだコメントはありません


コメントを残す