CVE-2026-43348
Description
In the Linux kernel, the following vulnerability has been resolved:
mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
When registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel computes pgmap->vmemmap_shift as the number of trailing zeros in the OR of start_pfn and last_pfn, intending to use the largest compound page order both endpoints are aligned to.
However, this value is not clamped to MAX_FOLIO_ORDER, so a sufficiently aligned range (e.g. physical range [0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000 with 35 trailing zeros) can produce a shift larger than what memremap_pages() accepts, triggering a WARN and returning -EINVAL:
WARNING: ... memremap_pages+0x512/0x650 requested folio size unsupported
The MAX_FOLIO_ORDER check was added by commit 646b67d57589 ("mm/memremap: reject unreasonable folio/compound page sizes in memremap_pages()").
Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always request the largest order the kernel supports, in those cases, rather than an out-of-range value.
Also fix the error path to propagate the actual error code from devm_memremap_pages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, mshv_vtl fails to clamp vmemmap_shift to MAX_FOLIO_ORDER to avoid WARN and -EINVAL on highly aligned memory ranges.
Vulnerability
In the Linux kernel's mshv_vtl subsystem, when registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel computes pgmap->vmemmap_shift as the number of trailing zeros in the bitwise OR of start_pfn and last_pfn. This value is intended to select the largest compound page order that both endpoints are aligned to. However, the computed shift is not clamped to MAX_FOLIO_ORDER, so a sufficiently aligned memory range (e.g., physical range [0x800000000000, 0x800080000000) with 35 trailing zeros) can produce a shift larger than what memremap_pages() accepts, triggering a WARN and returning -EINVAL [1].
Exploitation
An attacker with the ability to trigger the registration of a highly aligned memory range (e.g., via the MSHV_ADD_VTL0_MEMORY ioctl) can cause the kernel to compute an out-of-range vmemmap_shift. This leads to a kernel warning and a failure of the memory registration operation, resulting in a denial of service (DoS) condition. No special privileges beyond the ability to issue the relevant ioctl are required, but the attack surface is limited to systems using the Microsoft Hyper-V VTL (Virtual Trust Level) feature.
Impact
A local attacker can cause a kernel WARN and prevent memory registration, leading to a denial of service. The impact is limited to availability; there is no evidence of memory corruption or privilege escalation. The CVSS v3 score of 5.5 (Medium) reflects this local DoS potential.
Mitigation
The fix clamps vmemmap_shift to MAX_FOLIO_ORDER so that the kernel always requests the largest supported order rather than an out-of-range value. Additionally, the error path is corrected to propagate the actual error code from devm_memremap_pages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return [1]. The patch has been applied to the stable kernel tree and is available in commit 404cd6bffe17e25e0f94ed2775ffdd6cd10ac3fd [1]. Users should update to a kernel containing this fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.