Skip to main content

Linux Kernel EUVDEUVD-2026-25434

| CVE-2026-31541 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-mfcj-fwjx-5q54
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 18:52 vuln.today
CVSS changed
Apr 28, 2026 - 18:52 NVD
7.8 (HIGH)
Patch released
Apr 28, 2026 - 18:50 nvd
Patch available
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25434
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:33 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list.

The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list.

But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed.

Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.

AnalysisAI

Use-after-free in Linux kernel tracing subsystem allows local authenticated attackers to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when deleting tracing instances with copy_trace_marker enabled, where improper RCU synchronization leaves freed memory accessible. Exploitation requires local access with low privileges to manipulate kernel tracing facilities. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel versions (6.18.20, 6.19.10, 7.0).

Technical ContextAI

The Linux kernel tracing subsystem provides the trace_marker interface at /sys/kernel/tracing/trace_marker, which supports copying writes to multiple tracing instance buffers when copy_trace_marker is enabled. The affected code manages instance trace_array descriptors in an RCU-protected linked list (marker_copies). RCU (Read-Copy-Update) is a Linux kernel synchronization mechanism requiring proper synchronize_rcu() calls when removing list elements to ensure all readers complete before memory is freed. The vulnerability is a classic CWE-416 use-after-free race condition: when an instance is deleted, flags are cleared first, then update_marker_trace() is called which returns false (no state change) because the flag was already cleared, bypassing the required synchronize_rcu() call. This leaves a window where RCU readers may still traverse the list and access the trace_array descriptor after it's freed, causing memory corruption. The fix reorders operations so update_marker_trace() sees the actual state transition and properly invokes RCU synchronization before memory deallocation.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.20 or later for 6.18.x series, 6.19.10 or later for 6.19.x series, or 7.0 or later for 7.x series. Patches available from kernel.org stable repositories at https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e (6.18 series), https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1 (6.19 series), and https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7 (mainline). If immediate patching is not feasible, restrict access to /sys/kernel/tracing and /sys/kernel/debug/tracing filesystems by ensuring only root can mount or access debugfs/tracefs (default in most distributions). Use mount options like 'mode=0700' for debugfs to prevent non-root access. In containerized environments, avoid mounting debugfs/tracefs into containers or use security profiles (AppArmor, SELinux) to block tracing syscalls. Note that restricting tracing access may impact debugging workflows and performance monitoring tools relying on kernel tracing infrastructure. Verify access restrictions with 'ls -la /sys/kernel/debug' and check container security contexts.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy