CVE-2026-23097 Overview
A deadlock vulnerability has been discovered in the Linux kernel's memory migration subsystem affecting hugetlb file folios. The vulnerability exists due to incorrect lock ordering between folio_lock and i_mmap_rwsem during page migration operations. This race condition can result in a deadlock scenario when two tasks attempt to acquire these locks in conflicting orders, causing system hangs and denial of service.
Critical Impact
Systems utilizing hugetlbfs for memory management may experience complete system hangs when memory migration and fallocate operations occur simultaneously, leading to denial of service conditions.
Affected Products
- Linux Kernel (hugetlbfs subsystem)
- Systems using hugetlb memory pages
- Environments performing memory migration operations
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23097 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23097
Vulnerability Analysis
The deadlock vulnerability occurs in the Linux kernel's memory migration path when handling hugetlb file folios. The issue was identified by Syzbot and analyzed by Lance Yang, revealing a classic lock ordering violation between two concurrent tasks.
The vulnerability manifests when Task 1 (migration path) holds folio_lock and attempts to acquire i_mmap_rwsem as a read lock, while Task 2 (fallocate path) holds i_mmap_rwsem as a write lock and attempts to acquire folio_lock. This creates a circular dependency that results in an unrecoverable deadlock condition.
The root cause stems from a regression introduced when commit 336bf30eb765 incorrectly removed lock scope expansion for both file and anonymous hugetlb pages, when the change should only have applied to anonymous hugetlb pages. This violated the lock ordering documentation specified in mm/rmap.c.
Root Cause
The migration code path acquires locks in an incorrect order relative to the documented locking hierarchy. According to mm/rmap.c, proper lock ordering must be maintained to prevent deadlocks. The fix expands the scope of the existing i_mmap_lock to cover calls to remove_migration_ptes(), restoring the behavior established in commit c0d0381ade79.
The problematic code flow involves:
- migrate_pages() → migrate_hugetlbs() → unmap_and_move_huge_page() acquiring folio_lock
- Then attempting to acquire i_mmap_rwsem via __rmap_walk_file() → i_mmap_lock_read()
This conflicts with:
- hugetlbfs_fallocate() → hugetlbfs_punch_hole() acquiring i_mmap_rwsem write lock
- Then attempting to acquire folio_lock via filemap_lock_hugetlb_folio()
Attack Vector
This vulnerability can be triggered locally when memory migration operations coincide with hugetlbfs fallocate operations. The deadlock scenario requires:
- A process initiating page migration (such as during NUMA balancing or memory compaction)
- Another process performing fallocate operations on hugetlbfs-backed files
- Both operations targeting the same hugetlb folio simultaneously
The vulnerability is primarily exploitable for denial of service, as the deadlock renders the affected system unresponsive. While local access is typically required, any workload that combines hugetlb memory usage with page migration can potentially trigger this condition.
Detection Methods for CVE-2026-23097
Indicators of Compromise
- System hangs or unresponsive behavior during memory-intensive operations
- Kernel soft lockup warnings in system logs referencing hugetlbfs or migration functions
- Processes stuck in uninterruptible sleep (D state) with stack traces showing migrate_hugetlbs or hugetlbfs_fallocate
- Lockdep warnings indicating circular locking dependency between folio_lock and i_mmap_rwsem
Detection Strategies
- Enable CONFIG_LOCKDEP in kernel builds to detect lock ordering violations at runtime
- Monitor for soft lockup events using kernel logging and alerting mechanisms
- Implement system health monitoring that detects prolonged unresponsive states
- Review kernel logs for deadlock warnings involving hugetlbfs subsystem functions
Monitoring Recommendations
- Deploy kernel watchdog mechanisms to detect and alert on system hangs
- Monitor /proc/lockdep_stats for lock contention patterns
- Set up alerts for kernel oops or panic events related to memory management subsystems
- Implement automated recovery procedures for systems experiencing hang conditions
How to Mitigate CVE-2026-23097
Immediate Actions Required
- Update to a patched Linux kernel version that includes the lock ordering fix
- Review systems for hugetlbfs usage and assess exposure to the vulnerability
- Consider temporarily disabling hugetlbfs if memory migration operations are frequent and patching is delayed
- Monitor affected systems closely for signs of deadlock conditions
Patch Information
The Linux kernel maintainers have released patches to correct the lock ordering for hugetlb file folios. The fix expands the scope of i_mmap_lock to cover remove_migration_ptes() calls, restoring proper lock ordering.
Multiple kernel git commits address this vulnerability:
- Kernel Git Commit 1b68efce6dd4
- Kernel Git Commit 526394af4e8a
- Kernel Git Commit b75070823b89
- Kernel Git Commit b7880cb166ab
Workarounds
- Disable hugetlbfs if not required for workload operations by unmounting hugetlbfs filesystems
- Limit memory migration by adjusting NUMA balancing settings (numa_balancing=0 kernel parameter)
- Avoid concurrent fallocate operations on hugetlbfs during memory-intensive workloads
- Implement process isolation to prevent simultaneous triggering of vulnerable code paths
# Configuration example
# Disable NUMA balancing to reduce migration activity
echo 0 > /proc/sys/kernel/numa_balancing
# Check hugetlbfs mount points
mount | grep hugetlbfs
# Unmount hugetlbfs if not needed
umount /dev/hugepages
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
