{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23375", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:55.754Z", "dateUpdated": "2026-04-13T06:06:09.991Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:06:09.991Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/huge_memory.c"], "versions": [{"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "08de46a75f91a6661bc1ce0a93614f4bc313c581", "status": "affected", "versionType": "git"}, {"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "0524ee56af2c9bfbad152a810f1ca95de8ca00d7", "status": "affected", "versionType": "git"}, {"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "f6fa05f0dddd387417d0c28281ddb951582514d6", "status": "affected", "versionType": "git"}, {"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "dd085fe9a8ebfc5d10314c60452db38d2b75e609", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/huge_memory.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581"}, {"url": "https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7"}, {"url": "https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6"}, {"url": "https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609"}], "title": "mm: thp: deny THP for files on anonymous inodes", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "72D11336-0D18-46CA-A42B-4E6F0E5748B7", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:*", "matchCriteriaId": "41E47F32-BA80-4333-96FD-4D25082B0FDD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmm: thp: denegar THP para archivos en inodos an\u00f3nimos\n\nfile_thp_enabled() permite incorrectamente THP para archivos en inodos an\u00f3nimos (por ejemplo, guest_memfd y secretmem). Estos archivos se crean a trav\u00e9s de alloc_file_pseudo(), que no llama a get_write_access() y deja inode->i_writecount en 0. Combinado con que S_ISREG(inode->i_mode) sea verdadero, aparecen como archivos regulares de solo lectura cuando CONFIG_READ_ONLY_THP_FOR_FS est\u00e1 habilitado, haci\u00e9ndolos elegibles para el colapso de THP.\n\nLos inodos an\u00f3nimos nunca pueden pasar la verificaci\u00f3n inode_is_open_for_write() ya que su i_writecount nunca se incrementa a trav\u00e9s de la ruta de apertura VFS normal. Lo correcto es excluirlos por completo de la elegibilidad para THP, ya que CONFIG_READ_ONLY_THP_FOR_FS fue dise\u00f1ado para archivos de sistemas de archivos reales (por ejemplo, bibliotecas compartidas), no para inodos de pseudo-sistemas de archivos.\n\nPara guest_memfd, esto permite a khugepaged y MADV_COLLAPSE crear folios grandes en la cach\u00e9 de p\u00e1ginas a trav\u00e9s de la ruta de colapso, pero el gestor de fallos de guest_memfd no soporta folios grandes. Esto activa WARN_ON_ONCE(folio_test_large(folio)) en kvm_gmem_fault_user_mapping().\n\nPara secretmem, collapse_file() intenta copiar el contenido de la p\u00e1gina a trav\u00e9s del mapa directo, pero las p\u00e1ginas de secretmem se eliminan del mapa directo. Esto puede resultar en un fallo del kernel:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem no se ve afectado por el fallo en upstream ya que la recuperaci\u00f3n de fallos de memoria maneja la copia fallida con elegancia, pero a\u00fan as\u00ed activa informes confusos de falsos fallos de memoria:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nVerificar IS_ANON_FILE(inode) en file_thp_enabled() para denegar THP para todos los archivos de inodos an\u00f3nimos."}], "id": "CVE-2026-23375", "lastModified": "2026-04-24T16:31:31.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:37.230", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: mm: thp: deny THP for files on anonymous inodes", "id": "2451199", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451199"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Transparent Huge Pages (THP) mechanism. This vulnerability occurs because the `file_thp_enabled()` function incorrectly allows THP for files on anonymous inodes, which are not designed for this feature. An attacker could potentially exploit this by manipulating specific memory operations, leading to a kernel crash when handling secret memory pages. Additionally, it can cause incorrect memory failure reports for guest memory files."], "name": "CVE-2026-23375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23375\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23375\nhttps://lore.kernel.org/linux-cve-announce/2026032541-CVE-2026-23375-91b1@gregkh/T"], "statement": "This flaw affects systems using THP with guest_memfd (KVM) or secretmem. Anonymous inodes incorrectly pass THP eligibility checks, causing khugepaged to create large folios that these subsystems don't support. For secretmem, collapse_file() accesses pages removed from direct map, causing crashes. Requires CONFIG_READ_ONLY_THP_FOR_FS and use of affected pseudo-filesystems.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7fbb5e188248c50f737720825da1864ce42536d1,08de46a75f91a6661bc1ce0a93614f4bc313c581)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7fbb5e188248c50f737720825da1864ce42536d1,0524ee56af2c9bfbad152a810f1ca95de8ca00d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7fbb5e188248c50f737720825da1864ce42536d1,f6fa05f0dddd387417d0c28281ddb951582514d6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7fbb5e188248c50f737720825da1864ce42536d1,dd085fe9a8ebfc5d10314c60452db38d2b75e609)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:09:31.748203+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a release that contains the file_thp_enabled() patch (commit 0524ee56f).", "Reconfigure the kernel to disable THP collapse for anonymous inodes by either disabling CONFIG_READ_ONLY_THP_FOR_FS entirely or, as a temporary fix, setting /sys/kernel/mm/transparent_hugepage/enabled to \"never\".", "Optional: Monitor kernel dmesg for WARN_ON_ONCE or BUG messages related to THP collapse to verify the vulnerability no longer manifests."], "summary": {"action": "Patch Immediately", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases compiled with CONFIG_READ_ONLY_THP_FOR_FS enabled and that have not incorporated the upstream patch (commit 0524ee56f) are affected. This includes mainstream distribution kernels that expose guest_memfd or secretmem or otherwise allow THP collapse on pseudo\u2011filesystem inodes. The vulnerability applies to the core kernel regardless of vendor; any distribution kernel using the default configuration for THP on read\u2011only files can be impacted.", "description_and_impact": "The Linux kernel\u2019s transparent hugepage subsystem incorrectly permits THP collapse for files that reside on anonymous inodes, such as guest_memfd and secretmem, when CONFIG_READ_ONLY_THP_FOR_FS is enabled. This results from a buffer handling error combined with input validation weaknesses (CWE\u2011825 and CWE\u2011617) because the kernel fails to exclude pseudo\u2011filesystem objects from THP eligibility. When collapse is attempted, the guest_memfd fault handler or the secretmem copy routine faults on large folios, which can trigger WARN_ON_ONCE or a full kernel crash. The flaw does not provide arbitrary code execution, but it can bring the host down through a denial\u2011of\u2011service that is triggered by the kernel\u2019s own memory management path.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates moderate impact while the EPSS score is under 1%, implying a low prevalence of active exploitation today. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need local access to create or interact with the vulnerable pseudo\u2011FS objects and to enable transparent hugepage collapse for them, making exploitation a local attack. Given the severity and the possibility of a kernel crash, the vulnerability should be treated as a high\u2011priority patching issue."}}}}, "created": "2026-03-25T21:31:40.821005+00:00", "updated": "2026-04-28T09:15:09.687672+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}