VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2005· Updated Jun 16, 2026

CVE-2005-4811

CVE-2005-4811

Description

The hugepage code (hugetlb.c) in Linux kernel 2.6, possibly 2.6.12 and 2.6.13, in certain configurations, allows local users to cause a denial of service (crash) by triggering an mmap error before a prefault, which causes an error in the unmap_hugepage_area function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

60
  • Linux/Kernel60 versions
    cpe:2.3:o:linux:linux_kernel:2.6.0:test1:*:*:*:*:*:*+ 59 more
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test10:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test11:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test8:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.0:test9:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.10:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.10:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11.11:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11.12:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11.5:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11.6:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11.7:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11.8:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.11:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12.3:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12.4:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12.5:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12.6:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13.3:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13.4:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.13:rc7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.1:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.1:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.5:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.6:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.6:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.7:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.7:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.8:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs:*:*:*:*:*:*:*
    • (no CPE)range: 2.6

Patches

Vulnerability mechanics

Root cause

"Missing NULL-pointer check on huge_pte_offset() return value in unmap_hugepage_area() when mmap() fails before prefault."

Attack vector

A local user triggers a hugepage `mmap()` call that encounters an error before the prefault step populates the page tables. The error path calls `unmap_region()`, which invokes `unmap_hugepage_area()`. That function dereferences the result of `huge_pte_offset()` without a NULL check, causing a crash (NULL pointer dereference) when a PTE is missing [ref_id=1]. No special privileges are required beyond the ability to map hugepages, depending on the kernel configuration [ref_id=1].

Affected code

The bug resides in `mm/hugetlb.c` in the `unmap_hugepage_area()` function. The function assumed that page table entries (PTEs) must exist for every hugepage-sized region it iterates over, because a prefault should have populated them. However, when `mmap()` fails before the prefault completes, `unmap_region()` is called to clean up the partial mapping, and some PTEs may be absent.

What the fix does

The patch adds a NULL check on the return value of `huge_pte_offset()` inside the loop in `unmap_hugepage_area()`. If the pointer is NULL, the code now executes `continue` to skip that address range instead of blindly dereferencing the pointer. The comment explains that this situation can occur on truncate or when an `mmap()` is aborted due to an error before the prefault [ref_id=1].

Preconditions

  • configThe system must be configured to support hugepages (hugetlb).
  • authThe attacker must be a local user able to invoke hugepage mmap() calls.
  • inputThe mmap() call must encounter an error before the prefault step completes.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.