Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-priv trigger (AV:L/PR:L); a small race window justifies AC:H; primary impact is kernel-memory read (C:H) with limited integrity/availability effect from freed-folio reuse (I:L/A:L).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: update file PMD counter before folio_put()
__split_huge_pmd_locked() updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folio_put() drops the last reference, mm_counter_file() can later read freed folio state via folio_test_swapbacked().
Move the counter update before folio_put().
AnalysisAI
Use-after-free in the Linux kernel's transparent huge page code (mm/huge_memory) lets a local low-privileged process read freed folio state when __split_huge_pmd_locked() updates the file/shmem RSS counter only after dropping the PMD mapping's folio reference. On affected kernels (introduced around the 4.19 era through to fixes in 6.x/7.x stable trees), a final folio_put() can free the folio before mm_counter_file() inspects it via folio_test_swapbacked(), enabling reads of freed kernel memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local code execution on the host (CVSS AV:L) with at least low privileges (PR:L) - no remote vector and no user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) marks this as a high-severity local issue requiring only low privileges, but several signals temper real-world urgency: EPSS is 0.18% (8th percentile), there is no CISA KEV listing, and no public PoC is referenced. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with an unprivileged shell or code execution inside a container repeatedly triggers splitting of file/shmem huge-page mappings (e.g., via mmap of huge-page-backed files plus madvise/munmap under memory pressure) to hit the narrow window where folio_put() frees the folio before the RSS counter is read. By grooming the kernel heap to reallocate that freed folio, the attacker reads leaked kernel memory or corrupts page accounting, potentially advancing toward privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (or your distribution's equivalent backport). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit Linux kernel versions across all systems to identify those running 4.19-era through early 6.x/7.x. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39280
GHSA-g27r-592c-r436