CVE-2026-53154

Source
https://cve.org/CVERecord?id=CVE-2026-53154
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53154.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53154
Downstream
Related
Published
2026-06-25T08:38:38.168Z
Modified
2026-07-09T03:51:14.533672411Z
Summary
mm/hugetlb: restore reservation on error in hugetlb folio copy paths
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: restore reservation on error in hugetlb folio copy paths

Two sites in mm/hugetlb.c allocate a hugetlb folio via allochugetlbfolio() (consuming a VMA reservation) and then call copyuserlargefolio(), which became int-returning in commit 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults") and can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the failure path, folioput() restores the global hugetlb pool count through freehugefolio(), but the per-VMA reservation map entry is left marked consumed:

  • hugetlbmfillatomicpte() resubmission path (UFFDIOCOPY)
  • copyhugetlbpagerange() fork-time CoW path when hugetlbtrydupanon_rmap() fails (rare: pinned hugetlb anon folio under fork)

User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the resubmission copy fails, the reservation for that address is leaked from the VMA's reserve map. A subsequent fault at the same address takes the no-reservation path, and under hugetlb pool pressure the task is SIGBUSed at an address it had previously reserved. The fork-time CoW path leaks the same way in the child VMA's reserve map, though it requires the much rarer combination of pinned hugetlb anon page + hwpoisoned source.

Add the missing restorereserveonerror() call before folioput() on both error paths.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53154.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1cb9dc4b475c7418f925ab0c97b6750007d9f52e
Fixed
8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38
Fixed
e47bf16af3c45470ea32f2241fa69aefe0dd61bd
Fixed
c72469ac0f274bde3f0df60a4584e14a123d0aa6
Fixed
45e33d43243d71d089af42f5077b8213cee6610f
Fixed
40c81856e622a9dc59294a90d169ac07ea25b0b0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53154.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53154.json"