CVE-2026-31575
Description
In the Linux kernel, the following vulnerability has been resolved:
mm/userfaultfd: fix hugetlb fault mutex hash calculation
In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release().
Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hash calculation mismatch in Linux kernel's userfaultfd for hugetlb pages can cause race conditions leading to reservation map corruption and a kernel BUG_ON.
Vulnerability
Details
In the Linux kernel's userfaultfd implementation for hugetlb pages, the function mfill_atomic_hugetlb() incorrectly uses linear_page_index() to calculate the page index for hugetlb_fault_mutex_hash(). While linear_page_index() returns an index in PAGE_SIZE units, the mutex hash function expects the index in huge page units. This mismatch causes different addresses within the same huge page to map to different mutexes, breaking mutual exclusion for concurrent fault handling on the same huge page [1].
Exploitation
An attacker with the ability to use userfaultfd on hugetlb mappings can trigger this race condition by initiating simultaneous page faults on different offsets within the same huge page. No special privileges beyond local user access are required, as userfaultfd is accessible to unprivileged users in many configurations. The vulnerability is triggered during the userfaultfd page-filling path.
Impact
The race condition can corrupt the hugetlb reservation map, leading to a kernel BUG_ON in resv_map_release(). This results in a denial of service (system crash). There is no evidence of privilege escalation or data corruption beyond the kernel panic.
Mitigation
The fix introduces a new helper function hugetlb_linear_page_index() that returns the page index in huge page granularity, and replaces the incorrect call in mfill_atomic_hugetlb(). The patch has been applied to multiple stable kernel branches [1]. Users should update to the latest patched kernel version.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0217c7fb4de4a40cee667eb21901f3204effe5acnvdPatch
- git.kernel.org/stable/c/08282b1bf74c69fc8ecd25493e7fdb5460f01290nvdPatch
- git.kernel.org/stable/c/574501ede47ac439afd67ba9812bc66722d500banvdPatch
- git.kernel.org/stable/c/5a525c43baaba0bf3063f86996ca3623b71e4172nvdPatch
- git.kernel.org/stable/c/f4689fc089765d36c026063fb22d23533e883eb6nvdPatch
News mentions
0No linked articles in our index yet.