CVE-2026-31787
Published: Apr 30, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected d71f513985c22f1050295d1a7e4327cf9fb060da - < dbf862ce9f009128ab86b234d91413a3e450beb4affected d71f513985c22f1050295d1a7e4327cf9fb060da - < 2b985d3a024b9e8c24e21671b34e855569763808affected d71f513985c22f1050295d1a7e4327cf9fb060da - < 1576ff3869cbd3620717195f971c85b7d7fd62b5affected d71f513985c22f1050295d1a7e4327cf9fb060da - < 402d84ad9e89bd4cbfd07ca8598532b7021daf95affected d71f513985c22f1050295d1a7e4327cf9fb060da - < 2894a351fe2ea8684919d36df3188b9a35e3926f+3 more versions |
Linux | Linux | affected 3.8unaffected 0 - < 3.8unaffected 5.10.254 - <= 5.10.*unaffected 5.15.204 - <= 5.15.*unaffected 6.1.170 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now