{ "affected": [ { "ranges": [ { "events": [ { "introduced": "7fbb5e188248c50f737720825da1864ce42536d1" }, { "fixed": "08de46a75f91a6661bc1ce0a93614f4bc313c581" }, { "fixed": "0524ee56af2c9bfbad152a810f1ca95de8ca00d7" }, { "fixed": "f6fa05f0dddd387417d0c28281ddb951582514d6" }, { "fixed": "dd085fe9a8ebfc5d10314c60452db38d2b75e609" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] }, { "package": { "ecosystem": "Linux", "name": "Kernel" }, "ranges": [ { "events": [ { "introduced": "6.8.0" }, { "fixed": "6.12.78" } ], "type": "ECOSYSTEM" }, { "events": [ { "introduced": "6.13.0" }, { "fixed": "6.18.17" } ], "type": "ECOSYSTEM" }, { "events": [ { "introduced": "6.19.0" }, { "fixed": "6.19.7" } ], "type": "ECOSYSTEM" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23375.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode-\u003ei_writecount at 0. Combined with S_ISREG(inode-\u003ei_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files.", "id": "CVE-2026-23375", "modified": "2026-04-01T23:09:31.572889176Z", "published": "2026-03-25T10:27:55.754Z", "references": [ { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23375.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23375" } ], "schema_version": "1.7.3", "summary": "mm: thp: deny THP for files on anonymous inodes" }