{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53154", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.388Z", "datePublished": "2026-06-25T08:38:38.168Z", "dateUpdated": "2026-06-25T08:38:38.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-25T08:38:38.168Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore reservation on error in hugetlb folio copy paths\n\nTwo sites in mm/hugetlb.c allocate a hugetlb folio via\nalloc_hugetlb_folio() (consuming a VMA reservation) and then call\ncopy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c\n(\"mm: hwpoison: support recovery from HugePage copy-on-write faults\") and\ncan now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the\nfailure path, folio_put() restores the global hugetlb pool count through\nfree_huge_folio(), but the per-VMA reservation map entry is left marked\nconsumed:\n\n - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)\n - copy_hugetlb_page_range() fork-time CoW path when\n hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon\n folio under fork)\n\nUser-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the\nresubmission copy fails, the reservation for that address is leaked from\nthe VMA's reserve map. A subsequent fault at the same address takes the\nno-reservation path, and under hugetlb pool pressure the task is SIGBUSed\nat an address it had previously reserved. The fork-time CoW path leaks\nthe same way in the child VMA's reserve map, though it requires the much\nrarer combination of pinned hugetlb anon page + hwpoisoned source.\n\nAdd the missing restore_reserve_on_error() call before folio_put() on both\nerror paths."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/hugetlb.c"], "versions": [{"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e", "lessThan": "8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38", "status": "affected", "versionType": "git"}, {"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e", "lessThan": "e47bf16af3c45470ea32f2241fa69aefe0dd61bd", "status": "affected", "versionType": "git"}, {"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e", "lessThan": "c72469ac0f274bde3f0df60a4584e14a123d0aa6", "status": "affected", "versionType": "git"}, {"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e", "lessThan": "45e33d43243d71d089af42f5077b8213cee6610f", "status": "affected", "versionType": "git"}, {"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e", "lessThan": "40c81856e622a9dc59294a90d169ac07ea25b0b0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/hugetlb.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.143", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.94", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.36", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.13", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.143"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.94"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.0.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38"}, {"url": "https://git.kernel.org/stable/c/e47bf16af3c45470ea32f2241fa69aefe0dd61bd"}, {"url": "https://git.kernel.org/stable/c/c72469ac0f274bde3f0df60a4584e14a123d0aa6"}, {"url": "https://git.kernel.org/stable/c/45e33d43243d71d089af42f5077b8213cee6610f"}, {"url": "https://git.kernel.org/stable/c/40c81856e622a9dc59294a90d169ac07ea25b0b0"}], "title": "mm/hugetlb: restore reservation on error in hugetlb folio copy paths", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: mm/hugetlb: restore reservation on error in hugetlb folio copy paths", "id": "2492766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492766"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's huge page (hugetlb) memory management. When an error occurs during the copying of huge pages, the system fails to properly restore the memory reservation. This can lead to a leak of the virtual memory area (VMA) reservation. A local attacker could exploit this by performing specific memory operations, which may result in a denial of service (DoS) due, for example, to a task being terminated unexpectedly."], "name": "CVE-2026-53154", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53154\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53154\nhttps://lore.kernel.org/linux-cve-announce/2026062547-CVE-2026-53154-7b6f@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1cb9dc4b475c7418f925ab0c97b6750007d9f52e,8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1cb9dc4b475c7418f925ab0c97b6750007d9f52e,e47bf16af3c45470ea32f2241fa69aefe0dd61bd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1cb9dc4b475c7418f925ab0c97b6750007d9f52e,c72469ac0f274bde3f0df60a4584e14a123d0aa6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1cb9dc4b475c7418f925ab0c97b6750007d9f52e,45e33d43243d71d089af42f5077b8213cee6610f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1cb9dc4b475c7418f925ab0c97b6750007d9f52e,40c81856e622a9dc59294a90d169ac07ea25b0b0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.143,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.94,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.36,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0.13,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-06-25T13:15:03.762119+00:00", "updated": "2026-06-26T16:00:04.761152+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}