CVE-2026-46268: Linux Kernel P2PDMA Memory Allocation Warning Logic Error
A logic error in the Linux kernel's PCI peer-to-peer DMA memory allocation code causes a spurious warning to be logged when kernel debug features are enabled. The vulnerability stems from a mismatch between a code assertion and a prior change to how memory pages are initialized—the assertion expects a non-zero reference count, but the pages are now created with a zero count by design. While the actual functionality remains intact, the warning floods kernel logs and can trigger monitoring alerts, degrading system observability and potentially masking other issues.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition Commit b7e282378773 has already changed the initial page refcount of p2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses "VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))" to assert the initial page refcount should not be zero and the following will be reported when CONFIG_DEBUG_VM is enabled: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000 flags: 0x20000000002000(reserved|node=0|zone=4) raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) ------------[ cut here ]------------ WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60 Fix by using "page_ref_count(page)" as the assertion condition.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46268 involves a logic error in the p2pmem_alloc_mmap() function within drivers/pci/p2pdma.c. Commit b7e282378773 modified the initial page reference count for P2PDMA memory from 1 to 0, but the function retained a VM_WARN_ON_ONCE_PAGE() assertion that expects the refcount to be zero, creating a contradictory condition. When CONFIG_DEBUG_VM is enabled at kernel compile time, the assertion fires incorrectly, dumping verbose page metadata warnings to the kernel log. The fix corrects the assertion logic to match the actual initialized state.
Business impact
The primary impact is operational noise rather than security compromise. Systems running debug-enabled kernels with P2P DMA workloads will experience kernel log spam, increased I/O on logging infrastructure, and potential false positives in automated monitoring systems. In large-scale deployments or containerized environments where kernel logs are aggregated, this can increase storage costs and obscure genuine security or performance events. The issue does not directly compromise data confidentiality or integrity, nor does it enable privilege escalation.
Affected systems
Linux kernel versions between commit b7e282378773 and the fix are affected. The vulnerability manifests only when: (1) the kernel is compiled with CONFIG_DEBUG_VM enabled (common in development and some hardened distributions), and (2) P2PDMA functionality is in use (typically in high-performance computing, storage offload, or GPU environments). Standard production kernels without debug VM checks are unaffected by the warning, though the underlying code path logic issue persists.
Exploitability
This vulnerability is not exploitable for remote code execution, privilege escalation, or data exfiltration. It does not trigger a crash, panic, or denial of service in practice. The warning is self-contained and does not corrupt memory or allow attackers to influence control flow. No exploit code or specific triggering conditions beyond normal P2PDMA allocation operations are required to observe the symptom—it manifests as a side effect of correct operation under debug configurations.
Remediation
The fix involves replacing the negated assertion condition with the correct positive condition: change VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) to VM_WARN_ON_ONCE_PAGE(page_ref_count(page)) to match the post-b7e282378773 page initialization behavior. This is a one-line code correction in the assertion logic and carries minimal risk of introducing new issues. The functional behavior of P2PDMA allocation remains unchanged.
Patch guidance
Apply the corrected assertion condition to the p2pmem_alloc_mmap() function in drivers/pci/p2pdma.c. Verify against the Linux kernel's official repository and stable branch advisories for the exact version containing this fix. Users running debug-enabled kernels (CONFIG_DEBUG_VM=y) should prioritize this patch to reduce log noise and improve observability. Standard production kernel deployments should assess whether P2PDMA is in active use before scheduling; if P2PDMA is not utilized, the impact is none.
Detection guidance
Monitor kernel logs for repeated 'VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))' warnings originating from drivers/pci/p2pdma.c:240 on systems with CONFIG_DEBUG_VM enabled. Correlation with P2PDMA workload initiation (e.g., GPU pass-through setup, storage offload job submission) confirms the issue. Collect affected kernel version, CONFIG_DEBUG_VM status, and P2PDMA usage context. This does not require active security monitoring—standard kernel log review or grepping for the warning pattern suffices.
Why prioritize this
This receives a MEDIUM severity score due to availability impact (degraded observability, log flooding) rather than confidentiality or integrity compromise. It is a quality/reliability issue rather than a true security vulnerability, but it merits timely remediation because it can trigger false alarms and obscure genuine security events in monitored environments. Prioritize for debug-enabled production systems or development clusters; deprioritize for standard production deployments not using P2PDMA.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector: Local (AV:L—kernel-level issue, no remote trigger), Access Complexity: Low (AC:L—normal P2PDMA operations trigger the condition), Privileges Required: Low (PR:L—non-root users can trigger P2PDMA allocation), User Interaction: None (UI:N—automatic upon operation), Scope: Unchanged (S:U—no cross-boundary impact), Confidentiality: None (C:N), Integrity: None (I:N), and Availability: High (A:H—log flooding and monitoring disruption). The score penalizes the observability impact without inflating the rating due to the absence of code execution or crash risk.
Frequently asked questions
Will this vulnerability cause my system to crash or lose data?
No. The vulnerability does not trigger a kernel panic, memory corruption, or data loss. It generates verbose warnings in the kernel log when debug VM checks are enabled. Systems without CONFIG_DEBUG_VM compiled in will not experience any observable effect.
Do I need to patch if I'm not using P2PDMA functionality?
The warning only triggers when P2PDMA memory allocation code is executed. If your workloads do not involve GPU pass-through, peer-to-peer DMA for storage, or similar use cases, you are unaffected in practice. However, patching is still recommended for debug-enabled kernels to maintain clean logs.
How do I know if my kernel has CONFIG_DEBUG_VM enabled?
Check the running kernel configuration: cat /boot/config-$(uname -r) | grep CONFIG_DEBUG_VM. If the output shows CONFIG_DEBUG_VM=y, debug VM is enabled and you may see this warning. CONFIG_DEBUG_VM=n or no output means it is disabled.
Is this a security vulnerability or a quality bug?
Technically, it is classified as a security vulnerability (CVE-2026-46268) due to its availability impact, but the practical risk is operational disruption rather than malicious exploitation. There is no code execution, privilege escalation, or data breach vector. The severity rating reflects log flooding and monitoring degradation, not active security compromise.
This analysis is provided for informational purposes to support vulnerability assessment and patch management. The information here is derived from the published CVE description and Linux kernel source commits. Organizations should verify patch availability and compatibility with their specific kernel versions against official Linux distribution advisories and the Linux kernel stable branch. Testing patches in non-production environments before deployment is strongly recommended. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure