CVE-2026-23100 Overview
A vulnerability has been identified in the Linux kernel's memory management subsystem affecting the hugetlb_pmd_shared() function. The issue stems from an incomplete conversion when the kernel switched from using page counts to an independent shared count for PMD (Page Middle Directory) table sharing detection. This regression causes the kernel to fail to properly detect shared PMD tables, leading to incorrect memory accounting and potential security implications.
Critical Impact
Systems using HugeTLB pages may experience incorrect memory sharing detection, allowing page migration on shared folios that should be exclusive, and causing incorrect reporting in /proc/[pid]/smaps and pagemap interfaces.
Affected Products
- Linux kernel versions with HugeTLB support
- Systems utilizing PMD table sharing for huge pages
- Distributions using affected kernel memory management subsystems
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23100 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23100
Vulnerability Analysis
The vulnerability resides in the Linux kernel's HugeTLB memory management code, specifically within the hugetlb_pmd_shared() function. When the kernel refactored its PMD table sharing mechanism, it transitioned from using page reference counts to track sharing status to a dedicated ptdesc->pt_share_count field. However, the hugetlb_pmd_shared() function was not updated to use the new ptdesc_pmd_is_shared() interface, causing it to always fail to detect when a PMD table is actually shared.
This detection failure has several downstream consequences: page migration operations such as mbind() or migrate_pages() may incorrectly migrate folios that are mapped into shared PMD tables despite those folios not being exclusive. Additionally, the /proc/[pid]/smaps interface would incorrectly report shared pages as "private," and the pagemap interface would erroneously set the PM_MMAP_EXCLUSIVE flag for pages that are actually shared.
Root Cause
The root cause is an incomplete code migration during the kernel's transition from page refcount-based sharing detection to the new pt_share_count mechanism. Under the new design, shared page tables maintain a refcount of 1 (excluding speculative references) and rely solely on ptdesc->pt_share_count to identify sharing relationships. The hugetlb_pmd_shared() function continued using the legacy detection method, which no longer reflects the actual sharing state since sharing and unsharing operations no longer modify the PMD table's refcount.
Attack Vector
The attack vector for this vulnerability is local. An attacker with local access could potentially exploit the incorrect sharing detection to manipulate memory isolation boundaries or cause information disclosure through incorrect page accounting. The vulnerability affects systems where HugeTLB pages are actively used, particularly in scenarios involving page migration, memory policy changes, or memory introspection via the proc filesystem interfaces.
While no public exploit code is currently available, the memory accounting inconsistencies could theoretically be leveraged in multi-tenant environments where accurate memory isolation is critical for security boundaries.
Detection Methods for CVE-2026-23100
Indicators of Compromise
- Unexpected behavior in /proc/[pid]/smaps showing pages as "private" that should be "shared"
- Anomalous PM_MMAP_EXCLUSIVE flags in pagemap output for HugeTLB mappings
- Performance degradation during fork() and exit() operations due to excessive IPI broadcasts
- Unexpected successful page migrations on memory that should be shared
Detection Strategies
- Monitor kernel logs for HugeTLB-related warnings or errors during memory operations
- Audit systems using HugeTLB pages for memory accounting inconsistencies
- Review /proc/[pid]/smaps output for applications using huge pages to verify correct private/shared accounting
- Check for unusual IPI broadcast patterns that may indicate the related performance regression
Monitoring Recommendations
- Implement monitoring for HugeTLB memory operations in production environments
- Set up alerts for kernel memory management subsystem errors
- Track page migration activities on systems using memory policy controls like mbind() or migrate_pages()
- Consider deploying kernel tracing for PMD table operations in sensitive environments
How to Mitigate CVE-2026-23100
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review systems using HugeTLB pages for potential memory accounting issues
- Prioritize patching on multi-tenant systems where memory isolation is security-critical
- Consider temporarily disabling HugeTLB page sharing if patching cannot be performed immediately
Patch Information
The vulnerability has been resolved in the Linux kernel through commits that properly update hugetlb_pmd_shared() to use ptdesc_pmd_is_shared() for accurate sharing detection. The fix is available through the following kernel git commits:
- Kernel Git Commit 69c4e241ff13545d410a8b2a688c932182a858bf
- Kernel Git Commit ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216
This patch is part of a series that includes additional fixes for related performance regressions involving TLB flushes and IPI broadcasts during fork() and exit() operations. Administrators should apply the complete patch series for optimal performance and correctness.
Workarounds
- Disable HugeTLB page sharing on affected systems if immediate patching is not feasible
- Avoid using mbind() or migrate_pages() on applications utilizing HugeTLB pages until patched
- Monitor affected systems for memory accounting anomalies and investigate any inconsistencies
- Consider using standard pages instead of huge pages for security-sensitive applications until the fix is applied
# Check current HugeTLB configuration
cat /proc/meminfo | grep -i huge
# Verify kernel version for patch status
uname -r
# Monitor HugeTLB usage
cat /proc/sys/vm/nr_hugepages
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
