Skip to main content

Linux Kernel EUVDEUVD-2026-24797

| CVE-2026-31458 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rhx5-38hr-wvr9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 06, 2026 - 00:00 vuln.today
CVSS changed
May 05, 2026 - 21:37 NVD
5.5 (MEDIUM)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24797
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]

Multiple sysfs command paths dereference contexts_arr[0] without first verifying that kdamond->contexts->nr == 1. A user can set nr_contexts to 0 via sysfs while DAMON is running, causing NULL pointer dereferences.

In more detail, the issue can be triggered by privileged users like below.

First, start DAMON and make contexts directory empty (kdamond->contexts->nr == 0).

damo start

cd /sys/kernel/mm/damon/admin/kdamonds/0

echo 0 > contexts/nr_contexts

Then, each of below commands will cause the NULL pointer dereference.

echo update_schemes_stats > state

echo update_schemes_tried_regions > state

echo update_schemes_tried_bytes > state

echo update_schemes_effective_quotas > state

echo update_tuned_intervals > state

Guard all commands (except OFF) at the entry point of damon_sysfs_handle_cmd().

AnalysisAI

Denial of service via null pointer dereference in Linux kernel DAMON sysfs module allows local privileged users to crash the system by setting nr_contexts to zero while DAMON is running, then issuing state-change commands that dereference an empty contexts array without bounds checking. EPSS exploitation probability is minimal at 0.02%, reflecting the requirement for local privileged access and active DAMON configuration.

Technical ContextAI

The vulnerability exists in the Data Access MONitoring (DAMON) subsystem's sysfs interface, specifically in the damon_sysfs_handle_cmd() function and related code paths. DAMON is a Linux kernel module for monitoring memory access patterns. The sysfs interface allows privileged users to manage DAMON instances (kdamonds) and their associated contexts via /sys/kernel/mm/damon/admin/. The vulnerability is classified as CWE-476 (Null Pointer Dereference), arising from insufficient bounds checking on the contexts_arr array before access. Multiple command handlers (update_schemes_stats, update_schemes_tried_regions, update_schemes_tried_bytes, update_schemes_effective_quotas, update_tuned_intervals) directly dereference contexts_arr[0] without verifying that kdamond->contexts->nr >= 1, allowing a local privileged user to trigger a NULL pointer dereference by first reducing nr_contexts to zero via sysfs and then invoking these commands.

RemediationAI

Apply the vendor-released kernel patch from the stable branch matching your current version: Linux 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0 final release. The upstream fix adds bounds checking in damon_sysfs_handle_cmd() to verify kdamond->contexts->nr >= 1 before accessing contexts_arr[0], preventing NULL pointer dereference on all affected command paths (update_schemes_stats, update_schemes_tried_regions, update_schemes_tried_bytes, update_schemes_effective_quotas, update_tuned_intervals). For kernels not yet receiving patches, disable CONFIG_DAMON_SYSFS at compile time if DAMON is not required, or restrict sysfs access via filesystem permissions (chmod 600 on /sys/kernel/mm/damon/admin) and SELinux/AppArmor policies to prevent unprivileged users from modifying DAMON contexts. Patch references: https://git.kernel.org/stable/c/1bfe9fb5ed2667fb075682408b776b5273162615, https://git.kernel.org/stable/c/aba546061341b56e9ffb37e1eb661a3628b6ec12.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24797 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy