Skip to main content

Linux Kernel CVE-2026-31466

| EUVDEUVD-2026-24811 MEDIUM
Race Condition (CWE-362)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j7cp-5j3g-7q5w
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 18:37 vuln.today
CVSS changed
May 07, 2026 - 18:37 NVD
4.7 (MEDIUM)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24811
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 4.7

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix folio isn't locked in softleaf_to_folio()

On arm64 server, we found folio that get from migration entry isn't locked in softleaf_to_folio(). This issue triggers when mTHP splitting and zap_nonpresent_ptes() races, and the root cause is lack of memory barrier in softleaf_to_folio(). The race is as follows:

CPU0 CPU1

deferred_split_scan() zap_nonpresent_ptes() lock folio split_folio() unmap_folio() change ptes to migration entries __split_folio_to_order() softleaf_to_folio() set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry)) smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio)) prep_compound_page() for tail pages

In __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages are visible before the tail page becomes non-compound. smp_wmb() should be paired with smp_rmb() in softleaf_to_folio(), which is missed. As a result, if zap_nonpresent_ptes() accesses migration entry that stores tail pfn, softleaf_to_folio() may see the updated compound_head of tail page before page->flags.

This issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio() because of the race between folio split and zap_nonpresent_ptes() leading to a folio incorrectly undergoing modification without a folio lock being held.

This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further swapops predicates"), which in merged in v6.19-rc1.

To fix it, add missing smp_rmb() if the softleaf entry is migration entry in softleaf_to_folio() and softleaf_to_page().

[tujinjiang@huawei.com: update function name and comments]

AnalysisAI

A race condition in Linux kernel memory management causes folio objects to be accessed without proper locking during concurrent mega-transparent huge page (mTHP) splitting and zap operations on arm64, triggering a denial-of-service condition via VM_WARN_ON_ONCE() panic when the missing memory barrier allows CPU reordering to expose unlocked folio state. The vulnerability affects Linux kernel versions before 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.21, 6.19.11, and 7.0 with EPSS score of 0.02% indicating low real-world exploitation likelihood despite moderate CVSS impact rating.

Technical ContextAI

The vulnerability exists in the mm/huge_memory subsystem, specifically in the softleaf_to_folio() function which retrieves folio objects from migration entries during page table operations. The root cause is a missing smp_rmb() (read memory barrier) that should pair with smp_wmb() in __split_folio_to_order(). When deferred_split_scan() splits a folio and changes PTEs to migration entries via unmap_folio(), it uses smp_wmb() to ensure page flags (including PG_locked) are visible before the folio becomes non-compound. Without the corresponding smp_rmb() in softleaf_to_folio(), concurrent zap_nonpresent_ptes() operations can observe CPU-reordered memory, causing the function to see an updated compound_head before the lock flag is visible, violating the invariant that a folio must be locked before modification. This is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), a classic race condition in memory barrier usage.

RemediationAI

Apply vendor-released patches immediately: upgrade to Linux kernel 5.10.253 or later (5.10 series), 5.15.203 or later (5.15 series), 6.1.168 or later (6.1 series), 6.6.134 or later (6.6 series), 6.12.81 or later (6.12 series), 6.18.21 or later (6.18 series), 6.19.11 or later (6.19 series), or 7.0 final release. The fix involves adding smp_rmb() barriers in softleaf_to_folio() and softleaf_to_page() functions when handling migration entries. For systems unable to patch immediately, consider disabling memory compaction or reducing transparent huge page usage via /sys/kernel/mm/transparent_hugepage/enabled, though this trades security for performance degradation. Alternatively, restrict concurrent workloads that trigger aggressive page splitting and zapping on arm64 systems by using CPU pinning and memory policies to serialize access patterns, reducing the likelihood of hitting the race window. Reboot is required after patching to activate the fix. Commits are available at https://git.kernel.org/stable/ with the specific commit hashes provided in references.

More in Huawei

View all
CVE-2014-9222 CRITICAL POC
10.0 Dec 24

AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows re

CVE-2013-4630 HIGH POC
7.6 Jun 20

Stack-based buffer overflow on Huawei AR 150, 200, 1200, 2200, and 3200 routers, when SNMPv3 debugging is enabled, allow

CVE-2016-2231 CRITICAL POC
9.8 Feb 15

The Windows-based Host Interface Program (WHIP) service on Huawei SmartAX MT882 devices V200R002B022 Arg relies on the c

CVE-2012-4960 MEDIUM POC
6.5 Jun 20

The Huawei NE5000E, MA5200G, NE40E, NE80E, ATN, NE40, NE80, NE20E-X6, NE20, ME60, CX600, CX200, CX300, ACU, WLAN AC 6605

CVE-2015-7254 MEDIUM POC
5.0 Nov 07

Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary

CVE-2020-37220 HIGH POC
8.7 May 13

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain a

CVE-2013-4631 HIGH POC
7.8 Jun 20

Huawei AR 150, 200, 1200, 2200, and 3200 routers, when SNMPv3 is enabled, allow remote attackers to cause a denial of se

CVE-2015-8088 HIGH POC
7.8 Jan 12

Heap-based buffer overflow in the HIFI driver in Huawei Mate 7 phones with software MT7-UL00 before MT7-UL00C17B354, MT7

CVE-2014-8358 HIGH POC
7.8 Dec 11

Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014)

CVE-2016-5821 HIGH POC
7.8 Jul 13

Huawei HiSuite before 4.0.4.204_ove (Out of China) and before 4.0.4.301 (China) use a weak ACL (FILE_WRITE_DATA for BUIL

CVE-2014-9223 CRITICAL
10.0 Dec 24

Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and product

CVE-2014-8359 HIGH POC
7.2 Nov 13

Untrusted search path vulnerability in Huawei Mobile Partner for Windows 23.009.05.03.1014 allows local users to execute

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy