目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-53155— Linux内核巨大内存管理PMD条目标志错误漏洞

AI 预测 7.8 利用难度: 中等 EPSS 0.17% · P7
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-53155 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
mm/huge_memory: use correct flags for device private PMD entry
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: use correct flags for device private PMD entry Commit 65edfda6f3f2 ("mm/rmap: extend rmap and migration support device-private entries") updated set_pmd_migration_entry() to use pmdp_huge_get_and_clear() in the softleaf case, but made no further adjustments to the function itself. Therefore this function continues to incorrectly use pmd_write(), pmd_soft_dirty() and pmd_uffd_wp() to determine whether the installed migration entry should be marked writable, softdirty or uffd-wp respectively. Whilst all are incorrect, the most problematic of these is pmd_write(), as this can lead to corrupted rmap state. On x86-64 _PAGE_SWP_SOFT_DIRTY is aliased to _PAGE_RW. So calling pmd_write() on a softleaf will return the softdirty state encoded in the entry, assuming CONFIG_MEM_SOFT_DIRTY was enabled. This was observed when running the hmm.hmm_device_private.anon_write_child selftest: 1. The test faults in a range then migrates it such that a device-private THP range is established. 2. The parent then migrates it to a device-private writable PMD entry whose folio is entirely AnonExclusive with entire_mapcount=1, softdirty set (accidentally correct write state). 3. The parent forks and the PMD entries are set to device-private read only entries, entire_mapcount=2, softdirty still set. 4. [BUG] The child writes to the range then migrates to RAM - intending to install non-writable migration entries - but replacing parent and child PMD mappings with WRITABLE entries due to misinterpreting the softdirty bit. 5. In remove_migration_pmd(), if !softleaf_is_migration_read(entry) we set the RMAP_EXCLUSIVE flag when calling folio_add_anon_rmap_pmd() for both parent and child, which are therefore AnonExclusive. 6. [SPLAT] Child sets migrated folio entire_mapcount=1, parent sets entire_mapcount=2 and we end up with an AnonExclusive folio with entire_mapcount=2! Assert fires in __folio_add_anon_rmap(): VM_WARN_ON_FOLIO(folio_test_large(folio) && folio_entire_mapcount(folio) > 1 && PageAnonExclusive(cur_page), folio) This patch fixes the issue by correctly referencing the softleaf entry fields for writable, softdirty and uffd-wp in set_pmd_migration_entry(). It also only updates A/D flags if the entry is present as these are otherwise not meaningful for a softleaf entry. This patch also flips the if (!present) { ... } else { ... } logic in set_pmd_migration_entry() so it is easier to understand, and adds some comments to make things clearer. I was able to bisect this to commit 775465fd26a3 ("lib/test_hmm: add zone device private THP test infrastructure") which first exposes this bug as it was the commit that permitted test_hmm to generate the test. However commit 65edfda6f3f2 ("mm/rmap: extend rmap and migration support device-private entries") is the commit that actually enabled this behaviour.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux 65edfda6f3f2e58f757485a056e4f1775a1404a8 ~ d7251c8d3f7cea76543abac6cf4ed15582c10846 -
LinuxLinux 6.19 -

二、漏洞 CVE-2026-53155 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-53155 的情报信息

登录查看更多情报信息。

CVE-2026-53155 补丁与修复 (2)

同批安全公告 · Linux · 2026-06-25 · 共 147 条

CVE-2026-531759.8 CRITICALLinux inet frag使用完后释放漏洞
CVE-2026-531769.8 CRITICALIB/isert: 拒绝短于ISER_HEADERS_LEN的登录PDU漏洞
CVE-2026-532219.8 CRITICALLinux ip6_vti vti6_tnl_lookup 隧道匹配错误漏洞
CVE-2026-532289.8 CRITICALIPv6 SIT 在 GSO 卸载后重新加载内部 IPv6 头漏洞
CVE-2026-532169.8 CRITICALMarvell mvpp2 XDP 帧大小限制漏洞
CVE-2026-531519.8 CRITICALrxrpc ACK解析器未正确提取SACK表
CVE-2026-532609.8 CRITICALTCP reqsk_queue_hash_req()嵌套抢占关闭/开启问题
CVE-2026-532159.8 CRITICALMarvell mvpp2驱动RX缓冲区填充漏洞
CVE-2026-532479.8 CRITICALMTK以太网驱动元数据拆除时 Use-after-free漏洞
CVE-2026-532469.8 CRITICALSCTP缓存对端INIT分片长度验证缺陷
CVE-2026-531319.4 CRITICALnetfilter:eth_hdr() 使用前需验证以太网MAC头
CVE-2026-532259.1 CRITICALLinux SCTP __sctp_rcv_asconf_lookup() 未初始化值漏洞
CVE-2026-531869.1 CRITICALRDMA/srp SRP响应长度限制漏洞
CVE-2026-532249.1 CRITICALSCTP INIT 块及地址列表长度验证漏洞
CVE-2026-532008.8 HIGHKVM arm64 嵌套虚拟化 XN[0] 处理漏洞
CVE-2026-532778.8 HIGHKVM ARM64 页表遍历缺页注入和AT模拟漏洞
CVE-2026-532328.8 HIGH内核net: phy模块sfp探测失败清理漏洞
CVE-2026-532488.8 HIGHAiroha 网络驱动 metadata dst 拆除时存在释放后使用漏洞
CVE-2026-531988.8 HIGHksmbd SMB2_CANCEL双重取消导致use-after-free漏洞
CVE-2026-532408.8 HIGHxfrm: iptfs 修复 __input_process_payload 中 first_skb 释放后使用漏洞

显示前 20 条,共 147 条。 查看全部 → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53155

暂无评论


发表评论