{
  "threat_severity" : "Moderate",
  "public_date" : "2026-02-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service due to a deadlock in hugetlb folio migration",
    "id" : "2436802",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436802"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmigrate: correct lock ordering for hugetlb file folios\nSyzbot has found a deadlock (analyzed by Lance Yang):\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\nmigrate_pages()\n-> migrate_hugetlbs()\n-> unmap_and_move_huge_page()     <- Takes folio_lock!\n-> remove_migration_ptes()\n-> __rmap_walk_file()\n-> i_mmap_lock_read()       <- Waits for i_mmap_rwsem(read lock)!\nhugetlbfs_fallocate()\n-> hugetlbfs_punch_hole()           <- Takes i_mmap_rwsem(write lock)!\n-> hugetlbfs_zero_partial_page()\n-> filemap_lock_hugetlb_folio()\n-> filemap_lock_folio()\n-> __filemap_get_folio        <- Waits for folio_lock!\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c.  So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\nThis is (mostly) how it used to be after commit c0d0381ade79.  That was\nremoved by 336bf30eb765 for both file & anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages.", "A flaw was found in the Linux kernel. A local attacker could exploit a deadlock vulnerability due to incorrect lock ordering between folio_lock and i_mmap_rwsem when migrating hugetlb file-backed folios. This could lead to hung tasks and potential system-wide stalls, resulting in a Denial of Service (DoS)." ],
  "statement" : "A deadlock can occur when migrating hugetlb file backed folios due to incorrect lock ordering between folio_lock and the mapping i_mmap_rwsem. One task in the migration path can hold folio_lock and then block on i_mmap_lock_read. Another task such as hugetlbfs fallocate or punch hole can hold i_mmap_lock_write and then block on folio_lock. This ABBA pattern can hang tasks indefinitely and lead to a denial of service. For the CVSS the PR is N because the involved operations can be triggered by normal users who can access hugetlbfs and run memory pressure and file operations. The issue is not network reachable. Impact is denial of service due to hung tasks and potential system wide stalls.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4012",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.43.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-03-02T00:00:00Z",
    "advisory" : "RHSA-2026:3463",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.109.1.rt7.450.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-03-02T00:00:00Z",
    "advisory" : "RHSA-2026:3464",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.109.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-02T00:00:00Z",
    "advisory" : "RHSA-2026:3488",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.36.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-02T00:00:00Z",
    "advisory" : "RHSA-2026:3488",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.36.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23097\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23097\nhttps://lore.kernel.org/linux-cve-announce/2026020427-CVE-2026-23097-a591@gregkh/T" ],
  "name" : "CVE-2026-23097",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}