Skip to main content

Linux Kernel CVE-2026-31589

| EUVDEUVD-2026-25482 CRITICAL
Use After Free (CWE-416)
2026-04-24 Linux GHSA-mg7h-q7hw-m596
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
6.6 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 20:53 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 15:32 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25482
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm: call ->free_folio() directly in folio_unmap_invalidate()

We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops.

Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.

AnalysisAI

Use-after-free in Linux kernel memory management allows remote code execution when the folio_unmap_invalidate() function incorrectly accesses freed mapping structures. Kernel versions between 1da177e4c3f4 and patches 6.19.14/7.0.1 are affected. Exploitation probability is low (EPSS 2%, percentile 5%), with no confirmed active exploitation or public POC at time of analysis. Despite the critical CVSS 9.8 score indicating network-based unauthenticated attack, the description suggests this is a kernel memory corruption bug requiring local kernel code paths to trigger, not direct remote network exploitation - CVSS vector conflicts with technical nature and should be validated against vendor guidance.

Technical ContextAI

This vulnerability affects the Linux kernel's memory management (mm) subsystem, specifically the folio_unmap_invalidate() function which handles cleanup of file-backed memory pages. The issue is a use-after-free condition where the code calls filemap_free_folio() after releasing locks on the address space mapping structure. Because folios (multi-page memory objects) pin their parent mapping, removing the folio from the mapping allows the mapping structure itself to be freed. Subsequent access to mapping->a_ops (address space operations function pointer table) then dereferences freed memory. The CPE identifies this as affecting the core Linux kernel codebase. The fix mirrors the pattern used in __remove_mapping() by loading the free_folio function pointer before releasing the mapping lock, eliminating the race window.

RemediationAI

Upgrade to patched Linux kernel versions 6.19.14, 7.0.1, or later stable releases incorporating fix commits c330e65ea59c4805d6ab6757c4ddfe8c63acef31 or b667df39d98a7a24be7c2a40ff0863dac1ad2cd7. Distribution users should apply vendor-provided kernel updates from their package repositories (yum/dnf update kernel for RHEL/CentOS/Fedora, apt upgrade linux-image for Debian/Ubuntu, zypper update kernel-default for SUSE). Upstream fix details at https://git.kernel.org/stable/c/615d9bb2ccad42f9e21d837431e401db2e471195 and NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-31589. No effective workaround exists for kernel memory management bugs short of full patching. Compensating controls are not applicable - this requires code-level fix. Organizations unable to patch immediately should prioritize systems with untrusted local users or those exposing kernel attack surface through containers, virtualization, or network filesystem services. Rebooting into the patched kernel is required for remediation to take effect.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy