Skip to main content

Linux Kernel EUVDEUVD-2026-24796

| CVE-2026-31457 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-p6jg-gm5j-8f2r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 05, 2026 - 23:30 vuln.today
CVSS changed
May 05, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24796
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: check contexts->nr in repeat_call_fn

damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(), damon_sysfs_upd_schemes_stats(), and damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. If nr_contexts is set to 0 via sysfs while DAMON is running, these functions dereference contexts_arr[0] and cause a NULL pointer dereference. Add the missing check.

For example, the issue can be reproduced using DAMON sysfs interface and DAMON user-space tool (damo) [1] like below.

$ sudo damo start --refresh_interval 1s $ echo 0 | sudo tee \ /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts

AnalysisAI

Null pointer dereference in Linux kernel DAMON sysfs interface allows local authenticated users to cause denial of service by setting nr_contexts to zero while DAMON is running, triggering dereference of uninitialized context array pointers in damon_sysfs_repeat_call_fn(). The vulnerability requires local access and low-level privileges (non-root user with sysfs write access), with an EPSS exploitation probability of 0.02% indicating low real-world attack likelihood despite the straightforward trigger mechanism.

Technical ContextAI

The Linux kernel DAMON (Data Access Monitoring) subsystem exposes a sysfs interface for dynamic memory monitoring configuration at /sys/kernel/mm/damon/admin/. The damon_sysfs_repeat_call_fn() function, part of the mm/damon/sysfs subsystem, is responsible for periodically updating tuned intervals and scheme statistics without validating that the contexts array contains active context structures. When nr_contexts is modified to zero via sysfs while DAMON daemon threads are running, the function attempts to dereference contexts_arr[0] despite the empty context list, violating the bounds check that would normally prevent array access. This is a classic CWE-476 null pointer dereference in a kernel memory management subsystem.

RemediationAI

Apply vendor-released patches from stable kernel backports: Linux 6.18.21, 6.19.11, or 7.0 and later (commits 3527e9fdc38570cea0f6ddb7a2c9303d4044b217, 652cd0641a763dd0e846b0d12814977fadb2b7d8, and 6557004a8b59c7701e695f02be03c7e20ed1cc15 available at https://git.kernel.org/stable/). The fix adds a missing bounds check in damon_sysfs_repeat_call_fn() to verify contexts->nr > 0 before dereferencing context array elements. Interim mitigation: restrict write access to /sys/kernel/mm/damon/admin/kdamonds/*/contexts/nr_contexts via filesystem permissions or SELinux policy to prevent unprivileged users from triggering the dereference. This mitigation trades off DAMON configuration flexibility for availability. Additionally, disable DAMON at boot time via kernel command line parameter if not actively required, eliminating the daemon context entirely.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy