NVD

CVE-2026-53207 Detail

Received

This CVE record has recently been published to the CVE List and has been included within the NVD dataset.

Description

In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock when racing with a concurrent unmap: thread#0 thread#1 -------- -------- madvise(folio, MADV_HWPOISON) -> poisons the folio successfully madvise(folio, MADV_HWPOISON) unmap(folio) try_memory_failure_hugetlb get_huge_page_for_hwpoison spin_lock_irq(&hugetlb_lock) <- held __get_huge_page_for_hwpoison hugetlb_update_hwpoison() -> MF_HUGETLB_FOLIO_PRE_POISONED goto out: folio_put() refcount: 1 -> 0 free_huge_folio() spin_lock_irqsave(&hugetlb_lock) -> AA DEADLOCK! The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop the GUP reference while the hugetlb_lock is still held by the hugetlb.c wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released the page table mapping reference, folio_put() drops the folio refcount to zero, triggering free_huge_folio() which attempts to re-acquire the non-recursive hugetlb_lock. Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the folio_put() at the out: label so the folio is always released outside the lock. [[email protected]: fix race, rename label per Miaohe]

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e	kernel.org
https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48	kernel.org
https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8	kernel.org
https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e	kernel.org
https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b	kernel.org
https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2	kernel.org

Weakness Enumeration

CWE-ID	CWE Name	Source

Change History

1 change records found show changes

New CVE Received from kernel.org 6/25/2026 5:16:38 AM

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock when racing with a concurrent unmap: thread#0 thread#1 -------- -------- madvise(folio, MADV_HWPOISON) -> poisons the folio successfully madvise(folio, MADV_HWPOISON) unmap(folio) try_memory_failure_hugetlb get_huge_page_for_hwpoison spin_lock_irq(&hugetlb_lock) <- held __get_huge_page_for_hwpoison hugetlb_update_hwpoison() -> MF_HUGETLB_FOLIO_PRE_POISONED goto out: folio_put() refcount: 1 -> 0 free_huge_folio() spin_lock_irqsave(&hugetlb_lock) -> AA DEADLOCK! The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop the GUP reference while the hugetlb_lock is still held by the hugetlb.c wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released the page table mapping reference, folio_put() drops the folio refcount to zero, triggering free_huge_folio() which attempts to re-acquire the non-recursive hugetlb_lock. Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the folio_put() at the out: label so the folio is always released outside the lock. [[email protected]: fix race, rename label per Miaohe]
Added	Reference	https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e
Added	Reference	https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48
Added	Reference	https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8
Added	Reference	https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e
Added	Reference	https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b
Added	Reference	https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2
Added	Affected	Record truncated, showing 2048 of 2265 characters. View Entire Change Record [{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/linux/hugetlb.h","include/linux/mm.h","mm/hugetlb.c","mm/memory-failure.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"fc3ff42cb0cbf947e4600ae9761c3783760050e2","versionType":"git","status":"affected"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"77b73b54801ae7137479c141fd0473a491c1dc48","versionType":"git","status":"affected"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"a33bfed648c10f5a1519981dbfad80841191edc8","versionType":"git","status":"affected"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"dd77a83915b07e2b0205adb284f08b39ae31dc4b","versionType":"git","status":"affected"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"bf7ba8f96c258c30393814491930ae4ecdc5fe5e","versionType":"git","status":"affected"},{"version":"405ce051236cc65b30bbfe490b28ce60ae6aed85","lessThan":"3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e","versionType":"git","status":"affected"},{"version":"62d1655b922958826b7ec22682c3141746f75064","versionType":"git","status":"affected"},{"version":"5.15.54","lessThan":"5.16","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/linux/hugetlb.h","include/linux/mm.h","mm/hugetlb.c","mm/memory-failure.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.","versionType":"semver","s

Quick Info

CVE Dictionary Entry:
CVE-2026-53207
NVD Published Date:
06/25/2026
NVD Last Modified:
06/25/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2026-53207 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Change History

New CVE Received from kernel.org 6/25/2026 5:16:38 AM

Quick Info