Skip to main content

Linux Kernel CVE-2026-31648

| EUVDEUVD-2026-25541 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-24 Linux GHSA-5fqc-9jpf-8wjm
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:13 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:40 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25541
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:45 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()

When running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I encountered some very strange crash issues showing up as "Bad page state":

" [ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb [ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb [ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff) [ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000 [ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000 [ 734.496442] page dumped because: nonzero mapcount "

After analyzing this page’s state, it is hard to understand why the mapcount is not 0 while the refcount is 0, since this page is not where the issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can reproduce the crash as well and captured the first warning where the issue appears:

" [ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0 [ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 734.469315] memcg:ffff000807a8ec00 [ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):"stress-ng-mmaptorture-9397-0-2736200540" [ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff) ...... [ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) [ 734.469390] ------------[ cut here ]------------ [ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468, CPU#90: stress-ng-mlock/9430 [ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P) [ 734.469555] set_pte_range+0xd8/0x2f8 [ 734.469566] filemap_map_folio_range+0x190/0x400 [ 734.469579] filemap_map_pages+0x348/0x638 [ 734.469583] do_fault_around+0x140/0x198 ...... [ 734.469640] el0t_64_sync+0x184/0x188 "

The code that triggers the warning is: "VM_WARN_ON_FOLIO(page_folio(page + nr_pages - 1) != folio, folio)", which indicates that set_pte_range() tried to map beyond the large folio’s size.

By adding more debug information, I found that 'nr_pages' had overflowed in filemap_map_pages(), causing set_pte_range() to establish mappings for a range exceeding the folio size, potentially corrupting fields of pages that do not belong to this folio (e.g., page->_mapcount).

After above analysis, I think the possible race is as follows:

CPU 0 CPU 1 filemap_map_pages() ext4_setattr() //get and lock folio with old inode->i_size next_uptodate_folio()

....... //shrink the inode->i_size i_size_write(inode, attr->ia_size);

//calculate the end_pgoff with the new inode->i_size file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1; end_pgoff = min(end_pgoff, file_end);

...... //nr_pages can be overflowed, cause xas.xa_index > end_pgoff end = folio_next_index(folio) - 1; nr_pages = min(end, end_pgoff) - xas.xa_index + 1;

...... //map large folio filemap_map_folio_range() ...... //truncate folios truncate_pagecache(inode, inode->i_size);

To fix this issue, move the 'end_pgoff' calculation before next_uptodate_folio(), so the retrieved folio stays consistent with the file end to avoid ---truncated---

AnalysisAI

Race condition in Linux kernel memory management allows local attackers with low privileges to corrupt kernel page state, potentially achieving high-impact denial of service, data corruption, or privilege escalation. The vulnerability affects kernel versions 6.6.x through 7.0-rc3, with patches confirmed released for stable branches 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified at time of analysis. The CVSS vector (AV:L/AC:L/PR:L/UI:N) indicates local access with low attack complexity, while the specific race condition requires precise timing between file mapping and inode size modification operations.

Technical ContextAI

The vulnerability exists in the Linux kernel's memory-mapped file page fault handler (filemap_map_pages()) in mm/filemap.c. When applications map files via mmap(), the kernel uses large folios (multi-page memory structures) for efficiency. The flaw is a time-of-check-time-of-use (TOCTOU) race between calculating the file end boundary and actually mapping pages. If another thread concurrently shrinks the file via truncate/setattr operations (reducing inode->i_size), the end_pgoff calculation can become stale. This causes nr_pages arithmetic overflow when computing 'min(end, end_pgoff) - xas.xa_index + 1', leading filemap_map_folio_range() to establish page table entries beyond the folio's actual size. The resulting out-of-bounds PTEs corrupt metadata fields (particularly _mapcount and _refcount) of adjacent kernel page structures not belonging to the folio. The ext4 filesystem triggers the observed case, but the vulnerability is filesystem-agnostic, affecting any file-backed mmap with concurrent truncation. CPE strings confirm impact across all Linux kernel architectures from commit 743a2753a02e through 7.0-rc3.

RemediationAI

Upgrade to patched kernel versions: 6.6.135 or later for the 6.6.x series, 6.12.82 or later for 6.12.x, 6.18.23 or later for 6.18.x, 6.19.13 or later for 6.19.x, or 7.0 final release for mainline users. Patches available at git.kernel.org stable tree commits 88591194df73 (6.6.x), f58df566524e (6.12.x), 633ab680c405 (6.18.x), 576543bedd61 (6.19.x), and 9316a820b9aa (7.0). Distribution-specific packages from Red Hat, Ubuntu, Debian, and SUSE will incorporate these fixes into their update channels with vendor-specific versioning. The upstream fix relocates end_pgoff calculation to occur before folio retrieval, eliminating the race window between size check and page mapping. No effective workarounds exist short of disabling file-backed mmap entirely (not practical). Compensating controls include restricting local user access, deploying kernel runtime integrity monitors (e.g., LKRG), and enabling kernel page table isolation (KPTI) which provides partial mitigation by isolating user/kernel address spaces, though KPTI does not prevent the race itself. Organizations unable to patch immediately should prioritize monitoring for unexpected kernel crashes with 'Bad page state' messages and consider restricting untrusted local code execution until patching is complete.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy