Skip to main content

Linux Kernel CVE-2026-46017

| EUVDEUVD-2026-32398 MEDIUM
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-88w3-x23r-c432
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local-only race condition requiring SMP concurrency and migration timing (AV:L/AC:H); unprivileged user can trigger migration (PR:L); no confidentiality or integrity impact applies.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 16:00 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
4.7 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm: fix deferred split queue races during migration

migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio().

Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again.

Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue.

[ziy@nvidia.com: move the comment]

AnalysisAI

Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.

Technical ContextAI

The vulnerability resides in the Linux kernel mm subsystem, specifically in the folio migration path (migrate_folio_move()) and the deferred split shrinker (deferred_split_scan()). Folios are compound memory pages; the deferred split mechanism queues partially unmapped large folios via split_queue for later splitting. During migration, migrate_folio_move() captures the source folio's deferred split state and replays it on the destination. The race window opens because the replay (requeue onto split_queue) occurred after remove_migration_ptes(src, dst, 0), which makes the destination folio visible to all other CPU paths. A concurrent rmap-removal path can then observe the destination as partially mapped and invoke deferred_split_folio(), hitting a WARN because the folio is not yet enqueued. A second race exists in deferred_split_scan(): if the shrinker calls folio_trylock() on a migration-locked destination folio and fails, it previously dequeued the folio without requeueing, silently losing it from split_queue. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) describes both races accurately. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. The Nvidia contributor attribution (ziy@nvidia.com) in the patch commit suggests the issue was surfaced in GPU-memory-intensive or HPC workloads.

RemediationAI

The upstream fix is confirmed available in Linux kernel 7.0.4 and 7.1-rc1; administrators should upgrade to kernel 7.0.4 or later. The stable-tree patches are available at https://git.kernel.org/stable/c/cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa and https://git.kernel.org/stable/c/3bac01168982ec3e3bf87efdc1807c7933590a85. For systems that cannot be immediately patched, the exposure can be narrowed by disabling automatic NUMA balancing at boot via the kernel parameter numa_balancing=disable or at runtime with echo 0 > /proc/sys/kernel/numa_balancing - note this trades memory locality performance for reduced migration activity. Alternatively, disabling transparent huge pages via echo never > /sys/kernel/mm/transparent_hugepage/enabled suppresses large-folio promotion and migration at the cost of potential THP-related throughput regression for memory-bound workloads. Neither workaround eliminates the race if applications explicitly invoke move_pages() or mbind(). Distribution-specific errata (RHSA, USN, SUSE advisory) should be tracked for backport packages.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy