{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23375", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:55.754Z", "dateUpdated": "2026-03-25T10:27:55.754Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:55.754Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/huge_memory.c"], "versions": [{"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "08de46a75f91a6661bc1ce0a93614f4bc313c581", "status": "affected", "versionType": "git"}, {"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "0524ee56af2c9bfbad152a810f1ca95de8ca00d7", "status": "affected", "versionType": "git"}, {"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "f6fa05f0dddd387417d0c28281ddb951582514d6", "status": "affected", "versionType": "git"}, {"version": "7fbb5e188248c50f737720825da1864ce42536d1", "lessThan": "dd085fe9a8ebfc5d10314c60452db38d2b75e609", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/huge_memory.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581"}, {"url": "https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7"}, {"url": "https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6"}, {"url": "https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609"}], "title": "mm: thp: deny THP for files on anonymous inodes", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files."}], "id": "CVE-2026-23375", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:37.230", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mm: thp: deny THP for files on anonymous inodes", "id": "2451199", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451199"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Transparent Huge Pages (THP) mechanism. This vulnerability occurs because the `file_thp_enabled()` function incorrectly allows THP for files on anonymous inodes, which are not designed for this feature. An attacker could potentially exploit this by manipulating specific memory operations, leading to a kernel crash when handling secret memory pages. Additionally, it can cause incorrect memory failure reports for guest memory files."], "name": "CVE-2026-23375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23375\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23375\nhttps://lore.kernel.org/linux-cve-announce/2026032541-CVE-2026-23375-91b1@gregkh/T"], "statement": "This flaw affects systems using THP with guest_memfd (KVM) or secretmem. Anonymous inodes incorrectly pass THP eligibility checks, causing khugepaged to create large folios that these subsystems don't support. For secretmem, collapse_file() accesses pages removed from direct map, causing crashes. Requires CONFIG_READ_ONLY_THP_FOR_FS and use of affected pseudo-filesystems.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:22:45.055575+00:00", "value": {"mitigation_remediation": ["Apply the official kernel patch that corrects the THP eligibility check for anonymous inodes", "If a patch is not immediately available, disable the CONFIG_READ_ONLY_THP_FOR_FS configuration option in the kernel build or unload the module that enables read\u2011only THP collapse", "As a temporary measure, disable THP globally by writing 0 to /sys/kernel/mm/transparent_hugepage/enabled", "Verify that memfd or secretmem interfaces are not exposed to untrusted users, restricting creation of anonymous inodes when not required"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to any Linux kernel that includes the buggy THP check and is compiled with CONFIG_READ_ONLY_THP_FOR_FS enabled. It affects all distributions that ship with this configuration, regardless of the kernel version, as long as the erroneous logic remains. The issue can be triggered by creating guest_memfd or secretmem files locally, so any system that exposes these interfaces to untrusted users faces the potential impact.", "description_and_impact": "The Linux kernel contains a logic error in the Transparent Hugepage (THP) eligibility check for anonymous inodes such as guest_memfd and secretmem. When CONFIG_READ_ONLY_THP_FOR_FS is enabled, these pseudo\u2011filesystem files are mistakenly treated as read\u2011only regular files and are allowed to participate in THP collapse. Triggering THP collapse on such inodes creates large folios in the page cache, but the fault handlers for these files do not support that operation. This leads to a warning in the memory fault path and, for secretmem, a page fault during a vulnerable memcpy that causes a kernel panic or confusing memory\u2011failure reports, effectively denying service.", "risk_and_exploitability": "No CVSS score is provided, and EPSS data is unavailable, indicating limited public exploitation data. The flaw requires an attacker to provoke THP collapse on a file created via memfd or secretmem, which is generally achievable by a local user on a system with the relevant configuration. The attack vector is therefore likely local, though a remote application could trigger the collapse if it has sufficient permissions. Because the bug can cause an immediate kernel crash, the risk is high in affected environments. No public exploits are known, but the potential for denial of service exists."}}}}, "created": "2026-03-25T21:31:40.821005+00:00", "updated": "2026-03-25T21:31:40.821041+00:00", "vendors": [], "weaknesses": ["CWE-120"]}