UBUNTU-CVE-2026-23375
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being true, they appear as read-only regular files when CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP collapse. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes. For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path, but the guest_memfd fault handler does not support large folios. This triggers WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). For secretmem, collapse_file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash: BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy_orig+0x16/0x130 Call Trace: collapse_file hpage_collapse_scan_file madvise_collapse Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports: Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all anonymous inode files.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Systems
- ubuntu•linux
all | all
- ubuntu•linux-allwinner-5.19
all
- ubuntu•linux-aws
all | all
- ubuntu•linux-aws-5.0
all
- ubuntu•linux-aws-5.11
all
- ubuntu•linux-aws-5.13
all
- ubuntu•linux-aws-5.19
all
- ubuntu•linux-aws-5.3
all
- ubuntu•linux-aws-5.8
all
- ubuntu•linux-aws-6.14
all
- ubuntu•linux-aws-6.17
all
- ubuntu•linux-aws-6.2
all
- ubuntu•linux-aws-6.5
all
- ubuntu•linux-aws-6.8
all
- ubuntu•linux-aws-fips
all
- ubuntu•linux-azure
all | all | all
- ubuntu•linux-azure-5.11
all
- ubuntu•linux-azure-5.13
all
- ubuntu•linux-azure-5.19
all
- ubuntu•linux-azure-5.3
all
- ubuntu•linux-azure-5.8
all
- ubuntu•linux-azure-6.11
all
- ubuntu•linux-azure-6.14
all
- ubuntu•linux-azure-6.17
all
- ubuntu•linux-azure-6.2
all
- ubuntu•linux-azure-6.5
all
- ubuntu•linux-azure-6.8
all
- ubuntu•linux-azure-edge
all
- ubuntu•linux-azure-fde
all | all | all
- ubuntu•linux-azure-fde-5.19
all
- ubuntu•linux-azure-fde-6.14
all
- ubuntu•linux-azure-fde-6.17
all
- ubuntu•linux-azure-fde-6.2
all
- ubuntu•linux-azure-fde-6.8
all
- ubuntu•linux-azure-fips
all
- ubuntu•linux-azure-nvidia
all
- ubuntu•linux-azure-nvidia-6.14
all
- ubuntu•linux-bluefield
all
- ubuntu•linux-fips
all
- ubuntu•linux-gcp
all | all | all
- ubuntu•linux-gcp-5.11
all
- ubuntu•linux-gcp-5.13
all
- ubuntu•linux-gcp-5.19
all
- ubuntu•linux-gcp-5.3
all
- ubuntu•linux-gcp-5.8
all
- ubuntu•linux-gcp-6.11
all
- ubuntu•linux-gcp-6.14
all
- ubuntu•linux-gcp-6.17
all
- ubuntu•linux-gcp-6.2
all
- ubuntu•linux-gcp-6.5
all
Showing first 50 affected entries in server-rendered view.
References (7)
- https://ubuntu.com/security/CVE-2026-23375
- https://www.cve.org/CVERecord?id=CVE-2026-23375
- https://git.kernel.org/linus/dd085fe9a8ebfc5d10314c60452db38d2b75e609
- https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7
- https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581
- https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609
- https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6