Linux Kernel: THP Denied on Anonymous Inodes (CVE-2026-23375)
CVE-2026-23375 Published on March 25, 2026
mm: thp: deny THP for files on anonymous inodes
In the Linux kernel, the following vulnerability has been resolved:
mm: thp: deny THP for files on anonymous inodes
file_thp_enabled() incorrectly allows THP for files on anonymous inodes
(e.g. guest_memfd and secretmem). These files are created via
alloc_file_pseudo(), which does not call get_write_access() and leaves
inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being
true, they appear as read-only regular files when
CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP
collapse.
Anonymous inodes can never pass the inode_is_open_for_write() check
since their i_writecount is never incremented through the normal VFS
open path. The right thing to do is to exclude them from THP eligibility
altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real
filesystem files (e.g. shared libraries), not for pseudo-filesystem
inodes.
For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create
large folios in the page cache via the collapse path, but the
guest_memfd fault handler does not support large folios. This triggers
WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().
For secretmem, collapse_file() tries to copy page contents through the
direct map, but secretmem pages are removed from the direct map. This
can result in a kernel crash:
BUG: unable to handle page fault for address: ffff88810284d000
RIP: 0010:memcpy_orig+0x16/0x130
Call Trace:
collapse_file
hpage_collapse_scan_file
madvise_collapse
Secretmem is not affected by the crash on upstream as the memory failure
recovery handles the failed copy gracefully, but it still triggers
confusing false memory failure reports:
Memory failure: 0x106d96f: recovery action for clean unevictable
LRU page: Recovered
Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all
anonymous inode files.
Products Associated with CVE-2026-23375
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 7fbb5e188248c50f737720825da1864ce42536d1 and below 08de46a75f91a6661bc1ce0a93614f4bc313c581 is affected.
- Version 7fbb5e188248c50f737720825da1864ce42536d1 and below 0524ee56af2c9bfbad152a810f1ca95de8ca00d7 is affected.
- Version 7fbb5e188248c50f737720825da1864ce42536d1 and below f6fa05f0dddd387417d0c28281ddb951582514d6 is affected.
- Version 7fbb5e188248c50f737720825da1864ce42536d1 and below dd085fe9a8ebfc5d10314c60452db38d2b75e609 is affected.
- Version 6.8 is affected.
- Before 6.8 is unaffected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.17, <= 6.18.* is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc2, <= * is unaffected.