CVE-2026-23375 Overview
A memory corruption vulnerability has been identified in the Linux kernel's Transparent Huge Pages (THP) subsystem. The file_thp_enabled() function incorrectly allows THP for files on anonymous inodes, such as guest_memfd and secretmem. These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. When combined with S_ISREG(inode->i_mode) being true and CONFIG_READ_ONLY_THP_FOR_FS enabled, these files incorrectly appear as read-only regular files eligible for THP collapse.
Critical Impact
This vulnerability can lead to kernel crashes and memory corruption when THP collapse operations are performed on anonymous inode files, particularly affecting secretmem pages that are removed from the direct map.
Affected Products
- Linux kernel with CONFIG_READ_ONLY_THP_FOR_FS enabled
- Systems using guest_memfd (KVM guest memory)
- Systems using secretmem (secret memory allocations)
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23375 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23375
Vulnerability Analysis
The vulnerability stems from a logic flaw in the file_thp_enabled() function within the Linux kernel's memory management subsystem. The CONFIG_READ_ONLY_THP_FOR_FS feature was designed to enable Transparent Huge Pages for real filesystem files, such as shared libraries, to improve performance. However, the implementation fails to account for pseudo-filesystem inodes created via alloc_file_pseudo().
Anonymous inodes created through this path have their i_writecount left at 0 because get_write_access() is never called during their creation. This creates a false positive condition where these files pass the read-only eligibility check despite not being actual filesystem files.
For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path. However, the guest_memfd fault handler does not support large folios, triggering WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().
For secretmem, the situation is more severe. The collapse_file() function attempts to copy page contents through the direct map, but secretmem pages are intentionally removed from the direct map for security purposes. This leads to a kernel crash with an unhandled page fault.
Root Cause
The root cause is the absence of an IS_ANON_FILE(inode) check in the file_thp_enabled() function. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The fix adds this check to explicitly exclude anonymous inode files from THP eligibility.
Attack Vector
The vulnerability is triggered through local operations that invoke THP collapse mechanisms on anonymous inode files. An attacker with local access could potentially trigger the vulnerability by:
- Creating or accessing secretmem or guest_memfd memory regions
- Using madvise() with MADV_COLLAPSE to force THP collapse
- Allowing khugepaged to naturally attempt collapse operations on eligible regions
The attack requires local access and the ability to allocate memory through these specialized interfaces. The crash occurs when collapse_file() attempts to access memory through the direct map that has been intentionally unmapped for security.
The kernel crash manifests with the following call trace:
BUG: unable to handle page fault for address: ffff88810284d000
RIP: 0010:memcpy_orig+0x16/0x130
Call Trace:
collapse_file
hpage_collapse_scan_file
madvise_collapse
Detection Methods for CVE-2026-23375
Indicators of Compromise
- Kernel crashes with page faults in memcpy_orig during collapse_file operations
- WARN_ON_ONCE messages referencing folio_test_large(folio) in kvm_gmem_fault_user_mapping()
- False memory failure recovery reports: "Memory failure: recovery action for clean unevictable LRU page: Recovered"
- Unexpected kernel panics during KVM guest memory operations
Detection Strategies
- Monitor kernel logs for page fault errors originating from collapse_file or hpage_collapse_scan_file
- Watch for WARN_ON_ONCE assertions in KVM-related code paths involving guest_memfd
- Deploy kernel tracing to monitor madvise() calls with MADV_COLLAPSE flag on anonymous inode files
- Check for memory failure recovery messages that indicate false positive memory errors
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information
- Configure monitoring for kernel log messages containing memcpy_orig page faults
- Set up alerts for unusual KVM guest memory fault patterns
- Monitor systems running virtualized workloads for unexpected kernel warnings
How to Mitigate CVE-2026-23375
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel git repository
- Review systems using KVM virtualization or secretmem for potential exposure
- Consider temporarily disabling CONFIG_READ_ONLY_THP_FOR_FS if immediate patching is not possible
- Monitor affected systems for crash reports matching the vulnerability signature
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix adds an IS_ANON_FILE(inode) check in file_thp_enabled() to deny THP for all anonymous inode files. Multiple patch commits are available:
Workarounds
- Disable CONFIG_READ_ONLY_THP_FOR_FS kernel configuration option and rebuild the kernel
- Limit access to secretmem and guest_memfd interfaces to trusted users only
- Avoid using MADV_COLLAPSE on memory regions backed by anonymous inodes
- Monitor and restart affected KVM workloads if crashes occur before patching
# Check if CONFIG_READ_ONLY_THP_FOR_FS is enabled
zcat /proc/config.gz | grep CONFIG_READ_ONLY_THP_FOR_FS
# Disable THP entirely as a temporary workaround
echo never > /sys/kernel/mm/transparent_hugepage/enabled
# Monitor for related kernel warnings
dmesg -w | grep -E "(collapse_file|folio_test_large|kvm_gmem)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
