{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23097", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.964Z", "datePublished": "2026-02-04T16:08:19.815Z", "dateUpdated": "2026-05-11T21:59:56.711Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:56.711Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -> migrate_hugetlbs()\n -> unmap_and_move_huge_page() <- Takes folio_lock!\n -> remove_migration_ptes()\n -> __rmap_walk_file()\n -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!\n -> hugetlbfs_zero_partial_page()\n -> filemap_lock_hugetlb_folio()\n -> filemap_lock_folio()\n -> __filemap_get_folio <- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file & anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/migrate.c"], "versions": [{"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "e7396d23f9d5739f56cf9ab430c3a169f5508394", "status": "affected", "versionType": "git"}, {"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "ad97b9a55246eb940a26ac977f80892a395cabf9", "status": "affected", "versionType": "git"}, {"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "5edb9854f8df5428b40990a1c7d60507da5bd330", "status": "affected", "versionType": "git"}, {"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "526394af4e8ade89cacd1a9ce2b97712712fcc34", "status": "affected", "versionType": "git"}, {"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "b75070823b89009f5123fd0e05a8e0c3d39937c1", "status": "affected", "versionType": "git"}, {"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "1b68efce6dd483d22f50d0d3800c4cfda14b1305", "status": "affected", "versionType": "git"}, {"version": "336bf30eb76580b579dc711ded5d599d905c0217", "lessThan": "b7880cb166ab62c2409046b2347261abf701530e", "status": "affected", "versionType": "git"}, {"version": "ef792d6ce0db6a56e56743b1de1716a982c3b851", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/migrate.c"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"}, {"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"}, {"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"}, {"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"}, {"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"}, {"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"}, {"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"}], "title": "migrate: correct lock ordering for hugetlb file folios", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9598C575-CE16-4F2B-A517-667AA54B4B86", "versionEndExcluding": "5.10", "versionStartIncluding": "5.9.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE8CC3D1-1602-4F1D-A05B-F0E1722A86DD", "versionEndExcluding": "5.10.249", "versionStartIncluding": "5.10.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*", "matchCriteriaId": "B29EBB93-107F-4ED6-8DE3-C2732BC659C3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "0CD159FA-170F-4389-9085-CACCF97ABB1E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc5:*:*:*:*:*:*", "matchCriteriaId": "F0390D83-6C17-4557-BE8D-B659E04F565A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc6:*:*:*:*:*:*", "matchCriteriaId": "4120E4B3-B66D-4ACE-8570-1DD4DF20A324", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:rc7:*:*:*:*:*:*", "matchCriteriaId": "73D60343-647D-4B5D-AA6D-CE87C462E368", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -> migrate_hugetlbs()\n -> unmap_and_move_huge_page() <- Takes folio_lock!\n -> remove_migration_ptes()\n -> __rmap_walk_file()\n -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!\n -> hugetlbfs_zero_partial_page()\n -> filemap_lock_hugetlb_folio()\n -> filemap_lock_folio()\n -> __filemap_get_folio <- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file & anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmigrate: orden correcto de bloqueo para folios de archivo hugetlb\n\nSyzbot ha encontrado un interbloqueo (analizado por Lance Yang):\n\n1) Tarea (5749): Mantiene folio_lock, luego intenta adquirir i_mmap_rwsem (bloqueo de lectura).\n2) Tarea (5754): Mantiene i_mmap_rwsem (bloqueo de escritura), luego intenta adquirir folio_lock.\n\nmigrate_pages()\n -&gt; migrate_hugetlbs()\n -&gt; unmap_and_move_huge_page() &lt;- \u00a1Toma folio_lock!\n -&gt; remove_migration_ptes()\n -&gt; __rmap_walk_file()\n -&gt; i_mmap_lock_read() &lt;- \u00a1Espera por i_mmap_rwsem (bloqueo de lectura)!\n\nhugetlbfs_fallocate()\n -&gt; hugetlbfs_punch_hole() &lt;- \u00a1Toma i_mmap_rwsem (bloqueo de escritura)!\n -&gt; hugetlbfs_zero_partial_page()\n -&gt; filemap_lock_hugetlb_folio()\n -&gt; filemap_lock_folio()\n -&gt; __filemap_get_folio &lt;- \u00a1Espera por folio_lock!\n\nLa ruta de migraci\u00f3n es la que toma los bloqueos en el orden incorrecto seg\u00fan la documentaci\u00f3n en la parte superior de mm/rmap.c. As\u00ed que expandir el alcance del i_mmap_lock existente para cubrir tambi\u00e9n las llamadas a remove_migration_ptes().\n\nEsto es (en su mayor\u00eda) como sol\u00eda ser despu\u00e9s del commit c0d0381ade79. Eso fue eliminado por 336bf30eb765 tanto para p\u00e1ginas hugetlb de archivo como an\u00f3nimas cuando solo deber\u00eda haber sido eliminado para p\u00e1ginas hugetlb an\u00f3nimas."}], "id": "CVE-2026-23097", "lastModified": "2026-03-18T12:47:17.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:20.570", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: migrate: correct lock ordering for hugetlb file folios", "id": "2436802", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436802"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23097", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23097\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23097\nhttps://lore.kernel.org/linux-cve-announce/2026020427-CVE-2026-23097-a591@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:32:44.724268+00:00", "value": {"mitigation_remediation": ["Install the latest patched kernel version supplied by your distribution that incorporates the lock ordering fix.", "Reboot the system to ensure the updated kernel is active.", "Monitor the system for stalls or deadlocks, and limit or avoid heavy hugetlbfs operations until the patch is applied."], "summary": {"action": "Apply patch", "impact": "Denial of Service via kernel deadlock"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the affected code paths. Kernels 5.10 (release candidates rc4 through rc7) and 6.19 (release candidates rc1 through rc6) contain the pre\u2011fix code as shown in the CPE list. Any distribution using one of these kernel versions without the corresponding patch is exposed.", "description_and_impact": "The vulnerability corrects lock ordering for hugetlb file folios in the Linux kernel. A deadlock can arise when one task holds the folio lock and then attempts to acquire the i_mmap_rwsem read lock while another task holds the i_mmap_rwsem write lock and then attempts to acquire the folio lock. This race condition can cause the affected processes to hang and, in worst\u2011case scenarios, stall the system by blocking I/O or memory migration operations. The impact is a denial of service rather than a disclosure or privilege escalation.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. EPSS is less than 1%, labeling the likelihood of exploitation extremely low. The bug does not provide remote code execution capabilities and typically requires concurrent local tasks to trigger the deadlock, making it unlikely to be exploited by remote attackers. The vulnerability is not currently listed in the CISA KEV catalog, further indicating limited real\u2011world exploitation. However, affected systems should still address the issue promptly to avoid potential service interruptions."}}}}, "created": "2026-04-17T23:45:25.808233+00:00", "updated": "2026-04-17T23:45:25.808243+00:00", "vendors": []}