CVE-2026-53342

Source
https://cve.org/CVERecord?id=CVE-2026-53342
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53342.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53342
Downstream
Published
2026-07-01T13:32:23.449Z
Modified
2026-07-08T08:13:46.289767428Z
Summary
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: mm: call pagetable dtor when freeing hot-removed page tables

Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in createpgdmapping()") page-table allocation on ARM64 always calls pagetable{pte,pmd,pud,p4d}ctor(). This sets the pagetype to PGTYtable, increments NRPAGETABLE and possible allocates a PTL. However the matching pagetabledtor() calls were never added.

With DEBUGVM enabled on kernel versions prior to v6.17 without 2dfcd1608f3a9 ("mm/pagealloc: let page freeing clear any set page type") this leads to the following warning when freeing these pages due to page->page_type sharing page->_mapcount:

BUG: Bad page state in process ... pfn:284fbb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff) pagetype: f2(table) page dumped because: nonzero mapcount Call trace: badpage+0x13c/0x160 __freefrozenpages+0x6cc/0x860 ___freepages+0xf4/0x180 freepages+0x54/0x80 freehotplugpagerange.part.0+0x58/0x90 freeempty_tables+0x438/0x500 _removepgdmapping.constprop.0+0x60/0xa8 archremovememory+0x48/0x80 tryremovememory+0x158/0x1d8 offlineandremovememory+0x138/0x180

It can also lead to leaking the ptl allocation if ALLOCSPLITPTLOCKS is defined and incorrect NRPAGETABLE stats. Fix this by calling pagetabledtor() in freehotplugpgtablepage() prior to freeing the page to undo the effects of calling pagetable*_ctor().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53342.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f
Fixed
95f27fcda681021ed3906d3cae7e68b6a57a1d8e
Fixed
aaa688ac9f18207f7452c6472e647c1febaea6a3
Fixed
c594b83457ccdee76d458416fb3bc9348a37592f

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53342.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53342.json"