CVE-2026-46017
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel Memory Migration Fix

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [[email protected]: move the comment]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46017
EUVD
EUVD-2026-32398
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a race condition in the Linux kernel's memory management system, specifically related to the deferred split queue during page migration.

The function migrate_folio_move() records the state of the deferred split queue from a source (src) and replays it on a destination (dst). However, replaying it after remove_migration_ptes(src, dst, 0) causes the destination to become visible before it is requeued, which can lead to a concurrent removal path marking the destination as partially mapped and triggering a warning.

The fix involves moving the requeue operation before remove_migration_ptes() so that the destination is back on the deferred split queue before becoming visible again. Additionally, deferred_split_scan() was updated to requeue a folio if folio_trylock() fails, preventing a fully mapped but underused folio from being silently lost.

Impact Analysis

This vulnerability can cause memory management inconsistencies in the Linux kernel, potentially leading to warnings or errors during memory page migration.

Specifically, it may result in memory pages being incorrectly marked or lost from the deferred split queue, which could affect system stability or performance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart