Skip to main content

Linux Kernel EUVDEUVD-2026-34130

| CVE-2026-46268 MEDIUM
2026-06-03 Linux GHSA-9f46-h8mj-93v5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 20:18 vuln.today
CVSS changed
Jun 09, 2026 - 19:52 NVD
5.5 (MEDIUM)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:50 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 15:50 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

Commit b7e282378773 has already changed the initial page refcount of p2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses "VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))" to assert the initial page refcount should not be zero and the following will be reported when CONFIG_DEBUG_VM is enabled:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000 flags: 0x20000000002000(reserved|node=0|zone=4) raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) ------------[ cut here ]------------ WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60

Fix by using "page_ref_count(page)" as the assertion condition.

AnalysisAI

Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.

Technical ContextAI

The vulnerability resides in the Linux kernel's PCI Peer-to-Peer DMA (P2PDMA) subsystem, specifically in drivers/pci/p2pdma.c at the p2pmem_alloc_mmap() function (line 240). A prior refactoring commit (b7e282378773) legitimately changed the initial reference count of P2PDMA pages from one to zero as part of a page lifecycle redesign. The associated debug assertion VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) was not updated to reflect this new expected state, causing it to fire on every P2PDMA page allocation when CONFIG_DEBUG_VM is compiled into the kernel. The fix inverts the assertion to VM_WARN_ON_ONCE_PAGE(page_ref_count(page)), which now correctly warns if refcount is unexpectedly nonzero. No CWE is formally assigned, but this is a logic/assertion inversion defect - a stale precondition check not updated after a deliberate refcount semantic change. CPE cpe:2.3:a:linux:linux:* covers all kernel versions, with the actual affected range bounded by the introduction of commit b7e282378773 and the three stable-branch fix commits.

RemediationAI

Upgrade to a patched Linux kernel release: version 6.18.14 or later on the 6.18 stable branch, version 6.19.4 or later on the 6.19 stable branch, or Linux 7.0 or later. The upstream fix commits are eb9aa9f8010465d927864f5a35bdc5604b0ff51a, 9b69243983fb2f4d4d1f4ef0989bc1296547dc2c, and cb500023a75246f60b79af9f7321d6e75330c5b5, available at https://git.kernel.org/stable/c/. For systems where a kernel upgrade is not immediately feasible, the most effective compensating control is confirming that CONFIG_DEBUG_VM is not enabled in the running kernel (verify via /boot/config-$(uname -r) or grep CONFIG_DEBUG_VM /proc/config.gz); if it is absent, the vulnerable assertion code is never compiled in and no further action is required. As a secondary measure on debug kernels where CONFIG_DEBUG_VM cannot be disabled, setting panic_on_warn=0 in kernel boot parameters prevents the warning from escalating to a system panic, though kernel warning floods remain possible. Production systems running standard distribution kernels without CONFIG_DEBUG_VM require no immediate action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-34130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy