CVE-2026-31555
Description
In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.
CVSS Details
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Threat Intelligence
Affected Products 20
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥4.4.255 – <4.5 |
| linux | linux_kernel | * | ≥4.9.255 – <4.10 |
| linux | linux_kernel | * | ≥4.14.158 – <4.15 |
| linux | linux_kernel | * | ≥4.19.172 – <4.20 |
| linux | linux_kernel | * | ≥5.4.1 – <5.5 |
| linux | linux_kernel | * | ≥5.5.1 – <5.10.253 |
| linux | linux_kernel | * | ≥5.11 – <5.15.203 |
| linux | linux_kernel | * | ≥5.16 – <6.1.168 |
| linux | linux_kernel | * | ≥6.2 – <6.6.131 |
| linux | linux_kernel | * | ≥6.7 – <6.12.80 |
| linux | linux_kernel | * | ≥6.13 – <6.18.21 |
| linux | linux_kernel | * | ≥6.19 – <6.19.11 |
| linux | linux_kernel | 5.5 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
References 8
- git.kernel.org https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
- git.kernel.org https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
- git.kernel.org https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
- git.kernel.org https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
- git.kernel.org https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
- git.kernel.org https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
- git.kernel.org https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
- git.kernel.org https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85
Remediation
- git.kernel.org https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
- git.kernel.org https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
- git.kernel.org https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
- git.kernel.org https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
- git.kernel.org https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
- git.kernel.org https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
- git.kernel.org https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
- git.kernel.org https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85