Skip to main content

Linux Kernel EUVDEUVD-2026-39298

| CVE-2026-53207 MEDIUM
Improper Locking (CWE-667)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hfrj-r4v7-3997
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires precise timing across three concurrent operations, warranting AC:H over the vendor-assigned AC:L; PR:L reflects madvise(MADV_HWPOISON) requiring CAP_SYS_ADMIN on typical distributions.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 23:16 vuln.today
CVSS changed
Jul 02, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison

Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock when racing with a concurrent unmap:

thread#0 thread#1 -------- -------- madvise(folio, MADV_HWPOISON) -> poisons the folio successfully madvise(folio, MADV_HWPOISON) unmap(folio) try_memory_failure_hugetlb get_huge_page_for_hwpoison spin_lock_irq(&hugetlb_lock) <- held __get_huge_page_for_hwpoison hugetlb_update_hwpoison() -> MF_HUGETLB_FOLIO_PRE_POISONED goto out: folio_put() refcount: 1 -> 0 free_huge_folio() spin_lock_irqsave(&hugetlb_lock) -> AA DEADLOCK!

The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop the GUP reference while the hugetlb_lock is still held by the hugetlb.c wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released the page table mapping reference, folio_put() drops the folio refcount to zero, triggering free_huge_folio() which attempts to re-acquire the non-recursive hugetlb_lock.

Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the folio_put() at the out: label so the folio is always released outside the lock.

[akpm@linux-foundation.org: fix race, rename label per Miaohe]

AnalysisAI

Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local CAP_SYS_ADMIN access
Delivery
Allocate hugetlb-backed memory mapping
Exploit
Spawn concurrent unmap thread
Install
Issue two simultaneous madvise(MADV_HWPOISON) on same folio
C2
Unmap releases last page-table reference under held lock
Execute
folio_put() drops refcount to zero, triggers free_huge_folio()
Impact
free_huge_folio() re-acquires held hugetlb_lock
Step 8
Kernel spinlock AA deadlock, system hang

Vulnerability AssessmentAI

Exploitation Exploitation requires a local user process with CAP_SYS_ADMIN (or equivalent capability) to call madvise(MADV_HWPOISON); on standard Linux distributions this limits the attacker to root or explicitly delegated privileged users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately captures the local-only, availability-only character of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user holding CAP_SYS_ADMIN allocates a hugetlb-backed mapping, then spawns two threads simultaneously issuing madvise(MADV_HWPOISON) on the same folio while a third thread concurrently unmaps the page. If the unmap drops the last page-table reference between the second madvise call's lock acquisition and its folio_put(), the refcount hits zero, free_huge_folio() attempts to re-acquire hugetlb_lock, and the kernel deadlocks - hanging the affected CPU or triggering a watchdog panic. …
Remediation Upgrade to a patched stable kernel release: 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, as confirmed by EUVD version data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy