CVE-2026-46013
Analyzed Analyzed - Analysis Complete
Memory Corruption in Linux Kernel memfd_luo

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/memfd_luo: fix physical address conversion in put_folios cleanup In memfd_luo_retrieve_folios()'s put_folios cleanup path: 1. kho_restore_folio() expects a phys_addr_t (physical address) but receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to check the wrong physical address (pfn << PAGE_SHIFT instead of the actual physical address). 2. This loop lacks the !pfolio->pfn check that exists in the main retrieval loop and memfd_luo_discard_folios(), which could incorrectly process sparse file holes where pfn=0. Fix by converting PFN to physical address with PFN_PHYS() and adding the !pfolio->pfn check, matching the pattern used elsewhere in this file. This issue was identified by the AI review. https://sashiko.dev/#/patchset/[email protected]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46013
EUVD
EUVD-2026-32310
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's memfd_luo component, specifically in the put_folios cleanup path of the memfd_luo_retrieve_folios() function.

The issue arises because the function kho_restore_folio() expects a physical address (phys_addr_t) but instead receives a raw page frame number (PFN). This causes the subsequent function kho_restore_page() to check an incorrect physical address.

Additionally, a loop in the code lacks a check for pfolio->pfn being zero, which can lead to incorrect processing of sparse file holes.

The fix involves properly converting the PFN to a physical address using PFN_PHYS() and adding the missing check for pfolio->pfn being zero, aligning with the correct pattern used elsewhere in the code.

Impact Analysis

This vulnerability in the Linux kernel involves incorrect handling of physical address conversion during memory cleanup in memfd_luo_retrieve_folios(). Specifically, the function kho_restore_folio() receives a raw PFN instead of a physical address, causing it to check the wrong physical address. Additionally, the cleanup loop may incorrectly process sparse file holes where the PFN is zero. These issues could lead to improper memory management or data corruption during cleanup operations.

Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by correcting the physical address conversion in the memfd_luo module's put_folios cleanup path.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart