Skip to main content

Linux CVE-2026-31397

| EUVDEUVD-2026-18776 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-03 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18776
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap.

In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL, pgprot) passes NULL through folio_pfn() and page_to_pfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference.

Use page_folio(src_page) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout.

After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vm_normal_page_pmd() continues to treat them as special mappings.

move_pages_huge_pmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmd_special() on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result, vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount.

Instead of reconstructing the PMD from the folio, derive the destination entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD metadata the same way move_huge_pmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.

AnalysisAI

Linux kernel memory management allows installation of PMD entries pointing to non-existent physical memory or causes NULL pointer dereferences in move_pages_huge_pmd() when handling huge zero page migrations via UFFDIO_MOVE. The vulnerability occurs because the function incorrectly handles NULL folio pointers for huge zero pages, either producing bogus page frame numbers on SPARSEMEM_VMEMMAP systems or dereferencing NULL on other memory models. Additionally, destination PMD entries lose special mapping metadata (pmd_special flag), causing subsequent page reference counting corruption. No CVSS score is available; no active exploitation reported.

Technical ContextAI

The vulnerability resides in the Linux kernel's huge_memory subsystem, specifically in the move_pages_huge_pmd() function which facilitates userspace-driven page movement via UFFDIO_MOVE operations. The function must handle two distinct paths: normal transparent huge pages (THPs) and huge zero pages (special sentinel pages used for zero-filled memory regions). For huge zero pages, src_folio is intentionally set to NULL as a sentinel to skip certain folio operations (locking, rmap updates). However, the code then passes this NULL folio to folio_mk_pmd(NULL, pgprot), which chains through folio_pfn() and page_to_pfn() functions. On systems using SPARSEMEM_VMEMMAP memory model, NULL pointer arithmetic silently computes an invalid physical frame number, installing a PMD pointing to non-existent memory. On other memory models, this causes direct NULL pointer dereference. Additionally, when reconstructing the destination PMD from the folio in the huge zero page branch, the code loses PMD metadata flags such as pmd_special(), which is essential after commit d82d09e48219. This causes vm_normal_page_pmd() to misclassify the migrated huge zero PMD as a normal page, leading to reference count corruption. The underlying root causes are improper NULL handling in folio operations and incorrect PMD metadata preservation during migration.

RemediationAI

Apply the upstream kernel fixes available at git.kernel.org/stable/c/f3caaee0f9e489fd2282d4ce45791dc8aed2da62, git.kernel.org/stable/c/e3133d0986dc5a231d5419167dbac65312b28b41, and git.kernel.org/stable/c/fae654083bfa409bb2244f390232e2be47f05bfc. These commits address the vulnerability by using page_folio(src_page) to correctly obtain the huge zero folio instead of passing NULL through folio operations, and by deriving the destination PMD from src_pmdval to preserve special mapping metadata. Users should update to a stable kernel release that includes these commits, or apply them directly to their kernel source. For systems where kernel updates cannot be immediately deployed, disabling CONFIG_USERFAULTFD at compile time or via kernel command-line parameters will eliminate the attack surface, though this may impact applications relying on userfaultfd functionality.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy