CVE-2026-53109
Received Received - Intake
Bad page state in Linux kernel powerpc PTE fragment handling

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] "mm: free retracted page table by RCU" added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for madvise MADV_COLLAPSE on shmem range. [1]: https://lore.kernel.org/all/[email protected]/ pte_free_defer() sets the active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820 [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() & pagetable_free().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53109
EUVD
EUVD-2026-38977
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18.0-rc3
linux linux_kernel 6.18.0-rc3-00141
linux_kernel linux_kernel 6.18.0-rc3-00141-g1ddeaaace7ff-dirty
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's powerpc architecture related to page table fragment management. Specifically, it involves the reference counting and freeing of page table fragments (pte fragments) when using large 64K pages with 16 fragments of 4K size each.

The issue arises in a corner case where the reference counter (pt_frag_refcount) for these fragments does not properly clear an 'active' flag on a memory folio before freeing it during process exit. This can lead to a 'bad page state' error, which is a kernel bug triggered when the system attempts to free a page that still appears active.

The bug manifests as a kernel error during the do_exit() path when a process exits and the folio still has the active flag set despite the reference count reaching zero. The fix involves clearing the active flag before freeing the folio to prevent this bad page state.

Impact Analysis

This vulnerability can cause a kernel bug leading to a 'bad page state' error, which may result in system instability or crashes when processes exit under specific memory management conditions on powerpc architectures.

Such kernel errors can disrupt normal system operation, potentially causing unexpected process termination or system reboots, impacting availability and reliability.

Detection Guidance

This vulnerability manifests as a kernel bug related to a bad page state in the Linux kernel on powerpc architecture. It can be detected by monitoring kernel logs for specific error messages indicating a bad page state.

  • Check kernel logs (e.g., using dmesg or journalctl) for messages containing 'BUG: Bad page state' and details about pfn, refcount, and flags.
  • Use the command: dmesg | grep 'BUG: Bad page state' to filter relevant kernel error messages.
  • Monitor system logs for crashes or errors related to pte_frag_destroy or page table fragment reference counting.
Mitigation Strategies

The vulnerability is fixed by a patch in the Linux kernel that properly clears the folio active flag before freeing page table fragments during process exit. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel updates that contain the patch for pte_frag_destroy and related page table fragment handling.
  • If updating immediately is not possible, monitor kernel logs closely for the bad page state error and avoid workloads that heavily use the affected powerpc page table fragment features.
  • Consider rebooting the system after applying the kernel update to ensure the fix is active.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart