CVE-2026-23100

I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things.

The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4.

Patch #1 fixes hugetlbpmdshared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit().

The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated

There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series.

Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86.

This patch (of 4):

We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->ptsharecount to identify sharing.

We didn't convert hugetlbpmdshared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table.

Page migration, like mbind() or migratepages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PMMMAP_EXCLUSIVE in the pagemap interface.

Fix it by properly using ptdescpmdisshared() in hugetlbpmd_shared().

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23100.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133

Fixed

8ae48255bcb17b32436be97553dca848730d365f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8410996eb6fea116fe1483ed977aacf580eee7b4

Fixed

bf3c2affe245cf831866ddc8f736ae6a22cdc11c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

02333ac1c35370517a19a4a131332a9690c6a5c7

Fixed

5b2aec77f92265a9028c5f632bdd9af5b57ec3a3

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

56b274473d6e7e7375f2d0a2b4aca11d67c6b52f

Fixed

51dcf459845fd28f5a0d83d408a379b274ec5cc5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2e31443a0d18ae43b9d29e02bf0563f07772193d

Fixed

3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

59d9094df3d79443937add8700b2ef1a866b1081

Fixed

69c4e241ff13545d410a8b2a688c932182a858bf

Fixed

ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216

Affected versions

v5.*

v5.10.239

v5.10.240

v5.10.241

v5.10.242

v5.10.243

v5.10.244

v5.10.245

v5.10.246

v5.10.247

v5.10.248

v5.10.249

v5.10.250

v5.10.251

v5.10.252

v5.15.186

v5.15.187

v5.15.188

v5.15.189

v5.15.190

v5.15.191

v5.15.192

v5.15.193

v5.15.194

v5.15.195

v5.15.196

v5.15.197

v5.15.198

v5.15.199

v5.15.200

v5.15.201

v5.15.202

v6.*

v6.1.142

v6.1.143

v6.1.144

v6.1.145

v6.1.146

v6.1.147

v6.1.148

v6.1.149

v6.1.150

v6.1.151

v6.1.152

v6.1.153

v6.1.154

v6.1.155

v6.1.156

v6.1.157

v6.1.158

v6.1.159

v6.1.160

v6.1.161

v6.1.162

v6.1.163

v6.1.164

v6.1.165

v6.1.166

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.40

v6.12.41

v6.12.42

v6.12.43

v6.12.44

v6.12.45

v6.12.46

v6.12.47

v6.12.48

v6.12.49

v6.12.50

v6.12.51

v6.12.52

v6.12.53

v6.12.54

v6.12.55

v6.12.56

v6.12.57

v6.12.58

v6.12.59

v6.12.60

v6.12.61

v6.12.62

v6.12.63

v6.12.64

v6.12.65

v6.12.66

v6.12.67

v6.12.68

v6.12.69

v6.12.70

v6.12.71

v6.12.72

v6.12.73

v6.12.9

v6.6.100

v6.6.101

v6.6.102

v6.6.103

v6.6.104

v6.6.105

v6.6.106

v6.6.107

v6.6.108

v6.6.109

v6.6.110

v6.6.111

v6.6.112

v6.6.113

v6.6.114

v6.6.115

v6.6.116

v6.6.117

v6.6.118

v6.6.119

v6.6.120

v6.6.121

v6.6.122

v6.6.123

v6.6.124

v6.6.125

v6.6.126

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23100.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.253

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.203

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.167

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.127

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.74

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23100.json"