Skip to main content

Linux Kernel CVE-2026-31481

| EUVDEUVD-2026-24841 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 11:52 vuln.today
CVSS changed
Apr 28, 2026 - 11:52 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 11:38 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24841
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tracing: Drain deferred trigger frees if kthread creation fails

Boot-time trigger registration can fail before the trigger-data cleanup kthread exists. Deferring those frees until late init is fine, but the post-boot fallback must still drain the deferred list if kthread creation never succeeds.

Otherwise, boot-deferred nodes can accumulate on trigger_data_free_list, later frees fall back to synchronously freeing only the current object, and the older queued entries are leaked forever.

To trigger this, add the following to the kernel command line:

trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon

The second traceon trigger will fail and be freed. This triggers a NULL pointer dereference and crashes the kernel.

Keep the deferred boot-time behavior, but when kthread creation fails, drain the whole queued list synchronously. Do the same in the late-init drain path so queued entries are not stranded there either.

AnalysisAI

Kernel panic via null pointer dereference in the tracing subsystem occurs when boot-time trigger registration fails and kthread creation does not succeed, allowing deferred trigger frees to accumulate indefinitely and crash the system. Local authenticated attackers can trigger this by specifying malformed trace event parameters on the kernel command line, resulting in denial of service. EPSS exploitation probability is 0.02% (very low) despite moderate CVSS score, suggesting this requires specific boot-time configuration and local access.

Technical ContextAI

The Linux kernel tracing subsystem uses a deferred-free mechanism for trigger data cleanup during boot, deferring frees to a kthread that runs during late initialization. The vulnerability exists in the interaction between boot-time trigger registration (CWE-476: null pointer dereference) and the kthread creation fallback logic. When trigger registration fails before the cleanup kthread is created, the code correctly defers the free operation. However, if kthread creation ultimately fails, the deferred list is never drained, causing queued entries to accumulate on trigger_data_free_list. Subsequent frees fall back to synchronously freeing only the current object, leaving older queued entries permanently leaked in memory. This manifests as a null pointer dereference when the system attempts to access freed or dangling pointers during later trigger operations, affecting Linux kernel versions 6.19 through 7.0-rc7.

RemediationAI

Apply the vendor-released patch from git.kernel.org stable commits 250ab25391edeeab8462b68be42e4904506c409c or 771624b7884a83bb9f922ae64ee41a5f8b7576c9 depending on kernel series (6.19.11 or 7.0 patches are confirmed). The fix drains the deferred trigger_data_free_list both when kthread creation fails and in the late-init drain path, preventing accumulation of freed entries. For systems running affected kernel versions, upgrade to the patched release (6.19.11 or later, or 7.0-final and beyond once released). Interim workaround: do not specify redundant or conflicting trace_trigger parameters at boot time (e.g., avoid 'trace_trigger=sched_switch.traceon,sched_switch.traceon'). However, this is a configuration-level mitigation only; patch application is strongly recommended. See https://git.kernel.org/stable/ for patch details and distribution-specific backport advisories.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy