NVD

CVE-2026-23375 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being true, they appear as read-only regular files when CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP collapse. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes. For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path, but the guest_memfd fault handler does not support large folios. This triggers WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). For secretmem, collapse_file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash: BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy_orig+0x16/0x130 Call Trace: collapse_file hpage_collapse_scan_file madvise_collapse Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports: Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all anonymous inode files.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 5.5 MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7	kernel.org	Patch
https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581	kernel.org	Patch
https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609	kernel.org	Patch
https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6	kernel.org	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-617	Reachable Assertion	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

CVE Modified by kernel.org 6/17/2026 6:21:27 AM

Action

Type

Old Value

New Value

Added

Affected

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["mm/huge_memory.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"7fbb5e188248c50f737720825da1864ce42536d1","lessThan":"08de46a75f91a6661bc1ce0a93614f4bc313c581","versionType":"git","status":"affected"},{"version":"7fbb5e188248c50f737720825da1864ce42536d1","lessThan":"0524ee56af2c9bfbad152a810f1ca95de8ca00d7","versionType":"git","status":"affected"},{"version":"7fbb5e188248c50f737720825da1864ce42536d1","lessThan":"f6fa05f0dddd387417d0c28281ddb951582514d6","versionType":"git","status":"affected"},{"version":"7fbb5e188248c50f737720825da1864ce42536d1","lessThan":"dd085fe9a8ebfc5d10314c60452db38d2b75e609","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["mm/huge_memory.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","versionType":"semver","status":"unaffected"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Initial Analysis by NIST 4/24/2026 12:31:31 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE	CWE-617
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel:6.8:-::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.19 up to (excluding) 6.19.7 cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.18.17 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.8.1 up to (excluding) 6.12.78
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6 Types: Patch

New CVE Received from kernel.org 3/25/2026 7:16:37 AM

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being true, they appear as read-only regular files when CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP collapse. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes. For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path, but the guest_memfd fault handler does not support large folios. This triggers WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). For secretmem, collapse_file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash: BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy_orig+0x16/0x130 Call Trace: collapse_file hpage_collapse_scan_file madvise_collapse Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports: Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all anonymous inode files.
Added	Reference	https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7
Added	Reference	https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581
Added	Reference	https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609
Added	Reference	https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6

Quick Info

CVE Dictionary Entry:
CVE-2026-23375
NVD Published Date:
03/25/2026
NVD Last Modified:
06/17/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2026-23375 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by kernel.org 6/17/2026 6:21:27 AM

Initial Analysis by NIST 4/24/2026 12:31:31 PM

New CVE Received from kernel.org 3/25/2026 7:16:37 AM

Quick Info