2436802 – (CVE-2026-23097) CVE-2026-23097 kernel: Linux kernel: Denial of Service due to a deadlock in hugetlb folio migration

Bug 2436802 (CVE-2026-23097) - CVE-2026-23097 kernel: Linux kernel: Denial of Service due to a deadlock in hugetlb folio migration

Summary: CVE-2026-23097 kernel: Linux kernel: Denial of Service due to a deadlock in h...

Keywords:
Status:	NEW
Alias:	CVE-2026-23097
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-04 17:04 UTC by OSIDB Bzimport
Modified:	2026-03-02 02:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:3463	None	None	None	2026-03-02 00:11:57 UTC
Red Hat Product Errata	RHSA-2026:3464	None	None	None	2026-03-02 00:35:56 UTC
Red Hat Product Errata	RHSA-2026:3488	None	None	None	2026-03-02 02:59:27 UTC

Description OSIDB Bzimport 2026-02-04 17:04:05 UTC

In the Linux kernel, the following vulnerability has been resolved:

migrate: correct lock ordering for hugetlb file folios

Syzbot has found a deadlock (analyzed by Lance Yang):

1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.

migrate_pages()
  -> migrate_hugetlbs()
    -> unmap_and_move_huge_page()     <- Takes folio_lock!
      -> remove_migration_ptes()
        -> __rmap_walk_file()
          -> i_mmap_lock_read()       <- Waits for i_mmap_rwsem(read lock)!

hugetlbfs_fallocate()
  -> hugetlbfs_punch_hole()           <- Takes i_mmap_rwsem(write lock)!
    -> hugetlbfs_zero_partial_page()
     -> filemap_lock_hugetlb_folio()
      -> filemap_lock_folio()
        -> __filemap_get_folio        <- Waits for folio_lock!

The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c.  So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.

This is (mostly) how it used to be after commit c0d0381ade79.  That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.

Comment 1 Jon Moroney 2026-02-04 21:35:43 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026020427-CVE-2026-23097-a591@gregkh/T

Comment 4 errata-xmlrpc 2026-03-02 00:11:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3463 https://access.redhat.com/errata/RHSA-2026:3463

Comment 5 errata-xmlrpc 2026-03-02 00:35:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3464 https://access.redhat.com/errata/RHSA-2026:3464

Comment 6 errata-xmlrpc 2026-03-02 02:59:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3488 https://access.redhat.com/errata/RHSA-2026:3488

Note You need to log in before you can comment on or make changes to this bug.