{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "405ce051236cc65b30bbfe490b28ce60ae6aed85"
            },
            {
              "fixed": "fc3ff42cb0cbf947e4600ae9761c3783760050e2"
            },
            {
              "fixed": "77b73b54801ae7137479c141fd0473a491c1dc48"
            },
            {
              "fixed": "a33bfed648c10f5a1519981dbfad80841191edc8"
            },
            {
              "fixed": "dd77a83915b07e2b0205adb284f08b39ae31dc4b"
            },
            {
              "fixed": "bf7ba8f96c258c30393814491930ae4ecdc5fe5e"
            },
            {
              "fixed": "3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "62d1655b922958826b7ec22682c3141746f75064"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.15.54"
            },
            {
              "fixed": "5.16"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.18.0"
            },
            {
              "fixed": "6.1.176"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.143"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.94"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.36"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53207.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison\n\nTwo concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can\ntrigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock\nwhen racing with a concurrent unmap:\n\n  thread#0                              thread#1\n  --------                              --------\n  madvise(folio, MADV_HWPOISON)\n    -\u003e poisons the folio successfully\n  madvise(folio, MADV_HWPOISON)         unmap(folio)\n    try_memory_failure_hugetlb\n      get_huge_page_for_hwpoison\n        spin_lock_irq(\u0026hugetlb_lock)    \u003c- held\n        __get_huge_page_for_hwpoison\n          hugetlb_update_hwpoison()\n            -\u003e MF_HUGETLB_FOLIO_PRE_POISONED\n          goto out:\n            folio_put()\n              refcount: 1 -\u003e 0\n              free_huge_folio()\n                spin_lock_irqsave(\u0026hugetlb_lock)\n                  -\u003e AA DEADLOCK!\n\nThe out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop\nthe GUP reference while the hugetlb_lock is still held by the hugetlb.c\nwrapper get_huge_page_for_hwpoison().  If concurrent unmap has released\nthe page table mapping reference, folio_put() drops the folio refcount to\nzero, triggering free_huge_folio() which attempts to re-acquire the\nnon-recursive hugetlb_lock.\n\nFix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper\ninto get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the\nfolio_put() at the out: label so the folio is always released outside the\nlock.\n\n[akpm@linux-foundation.org: fix race, rename label per Miaohe]",
  "id": "CVE-2026-53207",
  "modified": "2026-07-08T05:36:09.231471599Z",
  "published": "2026-06-25T08:39:13.592Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53207.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53207"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison"
}