{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43286","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.999Z","datePublished":"2026-05-08T13:11:11.867Z","dateUpdated":"2026-05-11T22:21:37.239Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:21:37.239Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate->resv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool's reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool->used_hpages elevated if the globally requested pages could\nnot be acquired.  This is because while a subpool's reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally.  Thus, we need to adjust spool->used_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool's used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool.  Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n   successfully allocate any hugepages. It believes it can now only\n   allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter.  At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/hugetlb.c"],"versions":[{"version":"a833a693a490ecff8ba377654c6d4d333718b6b1","lessThan":"5eac1322a7b14b8cd05ec896618278b90fba7f39","status":"affected","versionType":"git"},{"version":"a833a693a490ecff8ba377654c6d4d333718b6b1","lessThan":"f055897c975d079a90af873c791ab58cf0f6f2a5","status":"affected","versionType":"git"},{"version":"a833a693a490ecff8ba377654c6d4d333718b6b1","lessThan":"1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5","status":"affected","versionType":"git"},{"version":"adb5c2e55524e3a96b02c3904b0bb6d5a5404d21","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/hugetlb.c"],"versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39"},{"url":"https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5"},{"url":"https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5"}],"title":"mm/hugetlb: restore failed global reservations to subpool","x_generator":{"engine":"bippy-1.2.0"}}}}