Bug 2436802 (CVE-2026-23097)

Summary: CVE-2026-23097 kernel: Linux kernel: Denial of Service due to a deadlock in hugetlb folio migration
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel. A local attacker could exploit a deadlock vulnerability due to incorrect lock ordering between folio_lock and i_mmap_rwsem when migrating hugetlb file-backed folios. This could lead to hung tasks and potential system-wide stalls, resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-04 17:04:05 UTC 
In the Linux kernel, the following vulnerability has been resolved:

migrate: correct lock ordering for hugetlb file folios

Syzbot has found a deadlock (analyzed by Lance Yang):

1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.

migrate_pages()
  -> migrate_hugetlbs()
    -> unmap_and_move_huge_page()     <- Takes folio_lock!
      -> remove_migration_ptes()
        -> __rmap_walk_file()
          -> i_mmap_lock_read()       <- Waits for i_mmap_rwsem(read lock)!

hugetlbfs_fallocate()
  -> hugetlbfs_punch_hole()           <- Takes i_mmap_rwsem(write lock)!
    -> hugetlbfs_zero_partial_page()
     -> filemap_lock_hugetlb_folio()
      -> filemap_lock_folio()
        -> __filemap_get_folio        <- Waits for folio_lock!

The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c.  So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.

This is (mostly) how it used to be after commit c0d0381ade79.  That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
Comment 1 Jon Moroney 2026-02-04 21:35:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026020427-CVE-2026-23097-a591@gregkh/T
Comment 4 errata-xmlrpc 2026-03-02 00:11:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3463 https://access.redhat.com/errata/RHSA-2026:3463
Comment 5 errata-xmlrpc 2026-03-02 00:35:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3464 https://access.redhat.com/errata/RHSA-2026:3464
Comment 6 errata-xmlrpc 2026-03-02 02:59:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3488 https://access.redhat.com/errata/RHSA-2026:3488
Comment 7 errata-xmlrpc 2026-03-09 09:41:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:4012 https://access.redhat.com/errata/RHSA-2026:4012
Comment 8 errata-xmlrpc 2026-04-23 22:46:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:10108 https://access.redhat.com/errata/RHSA-2026:10108
Comment 11 errata-xmlrpc 2026-04-28 04:01:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:11313 https://access.redhat.com/errata/RHSA-2026:11313
Comment 12 errata-xmlrpc 2026-05-05 09:29:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:13664 https://access.redhat.com/errata/RHSA-2026:13664
Comment 13 errata-xmlrpc 2026-05-05 10:15:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:13681 https://access.redhat.com/errata/RHSA-2026:13681
Comment 14 errata-xmlrpc 2026-05-05 13:05:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:13734 https://access.redhat.com/errata/RHSA-2026:13734
Comment 15 errata-xmlrpc 2026-05-06 08:15:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:13936 https://access.redhat.com/errata/RHSA-2026:13936
Comment 16 errata-xmlrpc 2026-05-06 13:38:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:14137 https://access.redhat.com/errata/RHSA-2026:14137
Comment 17 errata-xmlrpc 2026-05-06 18:45:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:14301 https://access.redhat.com/errata/RHSA-2026:14301
Comment 18 errata-xmlrpc 2026-05-11 00:29:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:15883 https://access.redhat.com/errata/RHSA-2026:15883