Skip to main content

Linux Kernel EUVDEUVD-2026-25493

| CVE-2026-31600 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-24 Linux GHSA-6447-4w47-gh9g
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 20:14 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:34 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25493
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

arm64: mm: Handle invalid large leaf mappings correctly

It has been possible for a long time to mark ptes in the linear map as invalid. This is done for secretmem, kfence, realm dma memory un/share, and others, by simply clearing the PTE_VALID bit. But until commit a166563e7ec37 ("arm64: mm: support large block mapping when rodata=full") large leaf mappings were never made invalid in this way.

It turns out various parts of the code base are not equipped to handle invalid large leaf mappings (in the way they are currently encoded) and I've observed a kernel panic while booting a realm guest on a BBML2_NOABORT system as a result:

[ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers [ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000 [ 15.513762] Mem abort info: [ 15.527245] ESR = 0x0000000096000046 [ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits [ 15.572146] SET = 0, FnV = 0 [ 15.592141] EA = 0, S1PTW = 0 [ 15.612694] FSC = 0x06: level 2 translation fault [ 15.640644] Data abort info: [ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 [ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000 [ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704 [ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP [ 15.886394] Modules linked in: [ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT [ 15.935258] Hardware name: linux,dummy-virt (DT) [ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c [ 16.006163] lr : swiotlb_bounce+0xf4/0x158 [ 16.024145] sp : ffff80008000b8f0 [ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000 [ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000 [ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0 [ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc [ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974 [ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018 [ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000 [ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000 [ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000 [ 16.349071] Call trace: [ 16.360143] __pi_memcpy_generic+0x128/0x22c (P) [ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4 [ 16.400282] swiotlb_map+0x5c/0x228 [ 16.415984] dma_map_phys+0x244/0x2b8 [ 16.432199] dma_map_page_attrs+0x44/0x58 [ 16.449782] virtqueue_map_page_attrs+0x38/0x44 [ 16.469596] virtqueue_map_single_attrs+0xc0/0x130 [ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc [ 16.510355] try_fill_recv+0x2a4/0x584 [ 16.526989] virtnet_open+0xd4/0x238 [ 16.542775] __dev_open+0x110/0x24c [ 16.558280] __dev_change_flags+0x194/0x20c [ 16.576879] netif_change_flags+0x24/0x6c [ 16.594489] dev_change_flags+0x48/0x7c [ 16.611462] ip_auto_config+0x258/0x1114 [ 16.628727] do_one_initcall+0x80/0x1c8 [ 16.645590] kernel_init_freeable+0x208/0x2f0 [ 16.664917] kernel_init+0x24/0x1e0 [ 16.680295] ret_from_fork+0x10/0x20 [ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c) [ 16.723106] ---[ end trace 0000000000000000 ]--- [ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000 ---truncated---

AnalysisAI

Kernel panic in Linux arm64 memory management causes system crash when handling invalid large leaf page table mappings during DMA bounce buffer operations. ARM64 systems running Linux 7.0-rc4 and earlier (specifically kernels with commit a166563e7ec37 that introduced large block mapping support) crash with translation faults when components like SWIOTLB, secretmem, kfence, or realm DMA attempt to invalidate large leaf mappings. Exploitation requires no special privileges as this is triggered by normal kernel operations during boot or DMA activity. Vendor patches available across stable branches (6.18.24, 6.19.14, 7.0.1). EPSS score is 1st percentile (0.01%) indicating extremely low observed exploitation probability, consistent with this being an availability issue requiring specific ARM64 hardware configurations rather than a remotely exploitable vulnerability.

Technical ContextAI

This vulnerability exists in the ARM64 memory management unit (MMU) page table handling code within the Linux kernel's mm subsystem. ARM64 uses a multi-level page table structure (PGD/P4D/PUD/PMD/PTE) where large block mappings optimize TLB usage by mapping 2MB or larger contiguous regions with a single page table entry. The kernel's linear map (the kernel's direct mapping of all physical memory) traditionally used 4KB page granularity, but commit a166563e7ec37 introduced large block mappings even when rodata=full is enabled. Various kernel subsystems (secretmem for process memory isolation, kfence for memory debugging, CCA realm DMA sharing, SWIOTLB for DMA bounce buffering) invalidate PTEs by clearing the PTE_VALID bit to mark memory as inaccessible. However, the page table walking code in __pi_memcpy_generic and related functions was not designed to handle invalid large leaf entries at PMD level, leading to level 2 translation faults (FSC=0x06) when the MMU attempts to resolve these addresses. The crash occurs specifically on BBML2_NOABORT ARM systems during DMA operations when SWIOTLB attempts to copy data to/from bounce buffers mapped through invalidated large block entries. The affected CPE strings indicate this impacts all Linux kernel versions from the initial git commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) through specific commits where fixes were applied across stable branches.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.24, 6.19.14, 7.0.1, or mainline commit 15bfba1ad77fad8e45a37aae54b3c813b33fe27c or later. Patches available at https://git.kernel.org/stable/c/cbea627ea634f41c79d18f0c6d20db66fa93514c (mainline), https://git.kernel.org/stable/c/747b6482e4e227fd351197dde6f64a97107a9e52 (6.19 stable), and https://git.kernel.org/stable/c/8140b21d19015227a28c255404462f2d3e6edc9a (6.18 stable). The fix corrects page table walking logic to properly handle invalid large leaf mappings by checking PTE_VALID before dereferencing PMD entries. If immediate patching is not feasible, temporary workarounds include: disabling large block mappings by removing CONFIG_ARM64_BLOCK_MAPPING or building without commit a166563e7ec37 (reduces performance due to increased TLB pressure and page table overhead - expect 5-15% memory access latency increase), disabling memory isolation features that trigger the bug (CONFIG_SECRETMEM=n, kfence=off boot parameter, avoid CCA realm guests - eliminates security benefits of memory isolation and confidential computing), or limiting DMA bounce buffer usage by ensuring IOMMU pass-through where hardware supports it (may expose devices to direct memory access risks if malicious hardware is present). These workarounds trade security or performance for stability and should only be temporary measures. For production ARM64 environments running confidential VMs or using advanced memory protection features, immediate kernel update is strongly recommended as workarounds disable critical security capabilities.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy