CVE-2026-31555

MEDIUM EPSS 2.4%
Published Apr 24, 20262mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 20

VendorProductVersionRange
linuxlinux_kernel*≥4.4.255  –  <4.5
linuxlinux_kernel*≥4.9.255  –  <4.10
linuxlinux_kernel*≥4.14.158  –  <4.15
linuxlinux_kernel*≥4.19.172  –  <4.20
linuxlinux_kernel*≥5.4.1  –  <5.5
linuxlinux_kernel*≥5.5.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel5.5any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85
    Patch