Skip to main content

Linux Kernel EUVDEUVD-2026-25447

| CVE-2026-31554 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-fqg3-p6v9-g3wx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:14 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:29 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25447
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:35 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

futex: Require sys_futex_requeue() to have identical flags

Nicholas reported that his LLM found it was possible to create a UaF when sys_futex_requeue() is used with different flags. The initial motivation for allowing different flags was the variable sized futex, but since that hasn't been merged (yet), simply mandate the flags are identical, as is the case for the old style sys_futex() requeue operations.

AnalysisAI

Use-after-free in Linux kernel futex subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service via sys_futex_requeue() with mismatched flags. Discovered through automated LLM analysis by Nicholas, this affects kernel versions 6.7 through 6.19.x, with patches available in 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified. The vulnerability requires local access with low-privilege authenticated user credentials (PR:L), making it a post-compromise escalation vector rather than a remote entry point.

Technical ContextAI

This vulnerability affects the futex (fast userspace mutex) subsystem in the Linux kernel, specifically the sys_futex_requeue() system call introduced in commit 0f4b5f972216. Futexes are low-level synchronization primitives used by threading libraries like pthreads to implement mutexes, condition variables, and other concurrency constructs. The requeue operation moves waiters from one futex to another atomically. The flaw arises when the operation permits different flag parameters between source and destination futexes, creating a state inconsistency that leads to use-after-free conditions. The original design allowed variable flags to support planned variable-sized futex features that were never merged. The fix enforces identical flags validation, matching the behavior of the legacy sys_futex() FUTEX_CMP_REQUEUE and FUTEX_REQUEUE operations. No CWE classification was assigned, but this represents a classic use-after-free memory corruption vulnerability in kernel space.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.80 or later in the 6.12.x series (https://git.kernel.org/stable/c/027145ace09fad4c7cbcd6c61fe9b429c63eb0e5), 6.18.21+ for 6.18.x (https://git.kernel.org/stable/c/18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a), 6.19.11+ for 6.19.x (https://git.kernel.org/stable/c/19f94b39058681dec64a10ebeb6f23fe7fc3f77a), or 7.0+ for mainline (https://git.kernel.org/stable/c/e2f78c7ec1655fedd945366151ba54fcb9580508). For systems unable to immediately patch, apply namespace isolation via user namespaces (sysctl kernel.unprivileged_userns_clone=0) to limit local attack surface, though this breaks containerized workloads and Flatpak applications. Kernel lockdown mode (lockdown=confidentiality) prevents unsigned kernel module loading but does not mitigate this vulnerability since it exploits a syscall interface. Restrict futex syscall access via seccomp-bpf filters in high-security environments, but note this breaks virtually all multi-threaded applications including databases, web servers, and language runtimes that depend on pthread primitives. The only reliable mitigation without operational impact is kernel upgrade.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy