CVE-2026-31597

HIGH EPSS 2.8%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥2.6.39  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/35c2c05261d6f6d84aaa1355afa201d507943e76
  • git.kernel.org https://git.kernel.org/stable/c/36539c4d536f851a3b346a6ebb27b51bc3d77a94
  • git.kernel.org https://git.kernel.org/stable/c/3f5e74b5db9353b01ed50f4de84e75b755f8fbc2
  • git.kernel.org https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2
    Patch