In the Linux kernel, the following vulnerability has been resolved:
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in createpgdmapping()") page-table allocation on ARM64 always calls pagetable{pte,pmd,pud,p4d}ctor(). This sets the pagetype to PGTYtable, increments NRPAGETABLE and possible allocates a PTL. However the matching pagetabledtor() calls were never added.
With DEBUGVM enabled on kernel versions prior to v6.17 without 2dfcd1608f3a9 ("mm/pagealloc: let page freeing clear any set page type") this leads to the following warning when freeing these pages due to page->page_type sharing page->_mapcount:
BUG: Bad page state in process ... pfn:284fbb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff) pagetype: f2(table) page dumped because: nonzero mapcount Call trace: badpage+0x13c/0x160 __freefrozenpages+0x6cc/0x860 ___freepages+0xf4/0x180 freepages+0x54/0x80 freehotplugpagerange.part.0+0x58/0x90 freeempty_tables+0x438/0x500 _removepgdmapping.constprop.0+0x60/0xa8 archremovememory+0x48/0x80 tryremovememory+0x158/0x1d8 offlineandremovememory+0x138/0x180
It can also lead to leaking the ptl allocation if ALLOCSPLITPTLOCKS is defined and incorrect NRPAGETABLE stats. Fix this by calling pagetabledtor() in freehotplugpgtablepage() prior to freeing the page to undo the effects of calling pagetable*_ctor().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53342.json",
"cna_assigner": "Linux"
}