Skip to main content

Linux Kernel CVE-2026-43404

| EUVDEUVD-2026-28710 MEDIUM
Improper Locking (CWE-667)
2026-05-08 Linux GHSA-ffq9-g2vv-386p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 21:35 vuln.today
CVSS changed
May 21, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm: Fix a hmm_range_fault() livelock / starvation problem

If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock.

However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved.

This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete.

A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption.

This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test.

Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page().

Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case.

Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above.

v2:

  • Instead of a cond_resched() in hmm_range_fault(),

eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3:

  • Add a stub migration_entry_wait_on_locked() for the

!CONFIG_MIGRATION case. (Kernel Test Robot) v4:

  • Rename migrate_entry_wait_on_locked() to

softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5:

  • Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION

version of softleaf_entry_wait_on_locked().

  • Modify wording around function names in the commit message

(Andrew Morton)

(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)

AnalysisAI

Livelock and CPU starvation in the Linux kernel memory management subsystem allows a local authenticated user to hang the system by triggering an unbounded spin loop in hmm_range_fault(). The root cause is in do_swap_page(), where failure to acquire folio_trylock() on a device-private folio causes the kernel to spin indefinitely while a competing process holding the lock is blocked waiting for work items on the same CPU - work items that are starved by the spinner. This vulnerability requires a highly specific combination of HMM device-private memory migration conditions and is confirmed reproduced by the Intel GPU test suite. No public exploit exists and no active exploitation is identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's Heterogeneous Memory Management (HMM) subsystem, specifically in the interaction between hmm_range_fault(), do_swap_page(), and migrate_device_unmap(). CWE-667 (Improper Locking) describes the root cause: a spin loop in do_swap_page() retries folio_trylock() without yielding, starving other runnable work on the same CPU. The cascade occurs because migrate_device_unmap() calls lru_add_drain_all(), which requires short work items to complete on all online CPUs - but the spinning hmm_range_fault() thread occupies the relevant CPU, preventing those work items from running. This creates a circular dependency: the folio lock cannot be released until lru_add_drain_all() completes, and lru_add_drain_all() cannot complete because the CPU is spinning waiting for the folio lock. The fix resolves this by replacing the spin with a proper wait-for-unlock via the renamed softleaf_entry_wait_unlock() (formerly migration_entry_wait_on_locked()), allowing the CPU to yield and break the livelock. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to a patched kernel version: Linux 7.0 (mainline), 6.19.9 (stable), or 6.18.19 (stable). The fixes are available in the Linux stable tree at https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63, https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680, and https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274. As a compensating control on systems where kernel upgrade is not immediately feasible, enabling full kernel preemption (CONFIG_PREEMPT) eliminates condition (c) and prevents the livelock, though this carries a throughput trade-off for high-performance workloads. Alternatively, disabling or restricting use of device-private memory in GPU drivers (e.g., xe driver parameter tuning) eliminates condition (a). Neither workaround is zero-cost: preemption increases scheduling overhead, and disabling device-private memory may reduce GPU workload performance significantly.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy