Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Hardware memory poisoning (EHWPOISON) is a non-default prerequisite absent from typical deployments, warranting AC:H over the NVD's AC:L.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: restore reservation on error in hugetlb folio copy paths
Two sites in mm/hugetlb.c allocate a hugetlb folio via alloc_hugetlb_folio() (consuming a VMA reservation) and then call copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults") and can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the failure path, folio_put() restores the global hugetlb pool count through free_huge_folio(), but the per-VMA reservation map entry is left marked consumed:
- hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
- copy_hugetlb_page_range() fork-time CoW path when
hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon folio under fork)
User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the resubmission copy fails, the reservation for that address is leaked from the VMA's reserve map. A subsequent fault at the same address takes the no-reservation path, and under hugetlb pool pressure the task is SIGBUSed at an address it had previously reserved. The fork-time CoW path leaks the same way in the child VMA's reserve map, though it requires the much rarer combination of pinned hugetlb anon page + hwpoisoned source.
Add the missing restore_reserve_on_error() call before folio_put() on both error paths.
AnalysisAI
Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation of the primary path requires: (1) local access with standard user privileges (PR:L per CVSS), (2) a private hugetlb VMA with an active reservation, (3) userfaultfd access (restricted to privileged users by default on many distributions via /proc/sys/vm/unprivileged_userfaultfd=0 since kernel 5.11 - verify your distribution default), (4) a hardware-poisoned source page causing copy_user_large_folio() to return -EHWPOISON, and (5) hugetlb pool pressure at the time of the subsequent fault to trigger the SIGBUS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) correctly characterizes this as a local, low-privilege availability issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a system with ECC memory experiencing hardware memory errors (or with access to madvise MADV_HWPOISON injection) sets up a private hugetlb VMA and registers a userfaultfd handler. The user issues UFFDIO_COPY targeting a hardware-poisoned source page; the kernel allocates a new hugetlb folio consuming the VMA reservation, but copy_user_large_folio() returns -EHWPOISON and the missing restore_reserve_on_error() call leaves the reservation leaked. … |
| Remediation | Apply the vendor-released patches available in the following stable kernel versions: 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 final release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39245
GHSA-6828-fj37-mvwr