CVE-2026-43404

MEDIUMNVD 5.5

5.5

In the Linux kernel, the following vulnerability has been resolved:

mm: Fix a hmm_range_fault() livelock / starvation problem

If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock.

However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved.

This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete.

A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption.

This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test.

Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page().

Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case.

Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above.

v2:

Instead of a cond_resched() in hmm_range_fault(),

eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3:

Add a stub migration_entry_wait_on_locked() for the

!CONFIG_MIGRATION case. (Kernel Test Robot) v4:

Rename migrate_entry_wait_on_locked() to

softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5:

Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION

version of softleaf_entry_wait_on_locked().

Modify wording around function names in the commit message

(Andrew Morton)

(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)

CVSS v3: 5.5
EG Score: 0.0(none)
EPSS: 1.8%
KEV: Not listed

Published

May 8, 2026

Last Modified

May 21, 2026

References (3)

416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274

Vendor Advisories for CVE-2026-43404(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-ffq9-g2vv-386p
GitHub Security AdvisoriesMedium
In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault()...

Frequently asked(5)

What is CVE-2026-43404?

CVE-2026-43404 is a medium vulnerability published on May 8, 2026. In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmmrangefault() livelock / starvation problem If hmmrangefault() fails a foliotrylock() in doswap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds…

When was CVE-2026-43404 disclosed?

CVE-2026-43404 was first published in the National Vulnerability Database on May 8, 2026, with the most recent update on May 21, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-43404 actively exploited?

CVE-2026-43404 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 1.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-43404?

CVE-2026-43404 has a CVSS v3 base score of 5.5 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 0.0.

How do I remediate CVE-2026-43404?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43404, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-43404

Explore →

Is Your Infrastructure Affected by CVE-2026-43404?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-43404

📅 Published

🔄 Last Modified

🔗 References (3)

📣 Vendor Advisories for CVE-2026-43404(1)

❓ Frequently asked(5)