{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31397", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.085Z", "datePublished": "2026-04-03T15:16:01.427Z", "dateUpdated": "2026-05-11T22:07:54.516Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:54.516Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()\n\nmove_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge\nzero pages. For the huge zero page path, src_folio is explicitly set to\nNULL, and is used as a sentinel to skip folio operations like lock and\nrmap.\n\nIn the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL,\npgprot) passes NULL through folio_pfn() and page_to_pfn(). With\nSPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD\npointing to non-existent physical memory. On other memory models it is a\nNULL dereference.\n\nUse page_folio(src_page) to obtain the valid huge zero folio from the\npage, which was obtained from pmd_page() and remains valid throughout.\n\nAfter commit d82d09e48219 (\"mm/huge_memory: mark PMD mappings of the huge\nzero folio special\"), moved huge zero PMDs must remain special so\nvm_normal_page_pmd() continues to treat them as special mappings.\n\nmove_pages_huge_pmd() currently reconstructs the destination PMD in the\nhuge zero page branch, which drops PMD state such as pmd_special() on\narchitectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result,\nvm_normal_page_pmd() can treat the moved huge zero PMD as a normal page\nand corrupt its refcount.\n\nInstead of reconstructing the PMD from the folio, derive the destination\nentry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD\nmetadata the same way move_huge_pmd() does for moved entries by marking it\nsoft-dirty and clearing uffd-wp."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/huge_memory.c"], "versions": [{"version": "e3981db444a0a18d350d9f92e3f2e8d489b54211", "lessThan": "f3caaee0f9e489fd2282d4ce45791dc8aed2da62", "status": "affected", "versionType": "git"}, {"version": "e3981db444a0a18d350d9f92e3f2e8d489b54211", "lessThan": "e3133d0986dc5a231d5419167dbac65312b28b41", "status": "affected", "versionType": "git"}, {"version": "e3981db444a0a18d350d9f92e3f2e8d489b54211", "lessThan": "fae654083bfa409bb2244f390232e2be47f05bfc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/huge_memory.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f3caaee0f9e489fd2282d4ce45791dc8aed2da62"}, {"url": "https://git.kernel.org/stable/c/e3133d0986dc5a231d5419167dbac65312b28b41"}, {"url": "https://git.kernel.org/stable/c/fae654083bfa409bb2244f390232e2be47f05bfc"}], "title": "mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()\n\nmove_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge\nzero pages. For the huge zero page path, src_folio is explicitly set to\nNULL, and is used as a sentinel to skip folio operations like lock and\nrmap.\n\nIn the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL,\npgprot) passes NULL through folio_pfn() and page_to_pfn(). With\nSPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD\npointing to non-existent physical memory. On other memory models it is a\nNULL dereference.\n\nUse page_folio(src_page) to obtain the valid huge zero folio from the\npage, which was obtained from pmd_page() and remains valid throughout.\n\nAfter commit d82d09e48219 (\"mm/huge_memory: mark PMD mappings of the huge\nzero folio special\"), moved huge zero PMDs must remain special so\nvm_normal_page_pmd() continues to treat them as special mappings.\n\nmove_pages_huge_pmd() currently reconstructs the destination PMD in the\nhuge zero page branch, which drops PMD state such as pmd_special() on\narchitectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result,\nvm_normal_page_pmd() can treat the moved huge zero PMD as a normal page\nand corrupt its refcount.\n\nInstead of reconstructing the PMD from the folio, derive the destination\nentry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD\nmetadata the same way move_huge_pmd() does for moved entries by marking it\nsoft-dirty and clearing uffd-wp."}], "id": "CVE-2026-31397", "lastModified": "2026-04-27T14:16:35.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:38.093", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3133d0986dc5a231d5419167dbac65312b28b41"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f3caaee0f9e489fd2282d4ce45791dc8aed2da62"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fae654083bfa409bb2244f390232e2be47f05bfc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()", "id": "2454854", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454854"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's memory management subsystem, specifically within the `move_pages_huge_pmd()` function. A local user could exploit a NULL pointer dereference when handling huge zero pages, which can lead to a system crash and a Denial of Service (DoS). Furthermore, improper reconstruction of Page Middle Directory (PMD) entries can cause memory corruption by incorrectly treating special memory mappings as normal pages, potentially leading to system instability."], "name": "CVE-2026-31397", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31397\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31397\nhttps://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31397-8672@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e3981db444a0a18d350d9f92e3f2e8d489b54211,f3caaee0f9e489fd2282d4ce45791dc8aed2da62)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e3981db444a0a18d350d9f92e3f2e8d489b54211,e3133d0986dc5a231d5419167dbac65312b28b41)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e3981db444a0a18d350d9f92e3f2e8d489b54211,fae654083bfa409bb2244f390232e2be47f05bfc)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.20,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.10,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:35:50.373581+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that incorporates commit d82d09e48219 or later, which fixes the NULL folio handling in move_pages_huge_pmd.", "Recompile any custom kernel modules or drivers against the updated kernel headers to prevent mismatches that could re\u2011introduce the issue.", "After applying the update, reboot the system to ensure all memory mappings are rebuilt and legacy references are cleared."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Linux kernels that contain the buggy move_pages_huge_pmd implementation are affected. The exact affected release series is not listed in the advisory, so any kernel version prior to the commit that introduces this fix is potentially vulnerable.", "description_and_impact": "The move_pages_huge_pmd function in the Linux kernel mishandles a NULL folio when moving huge zero pages. This bug causes a bogus page frame number to be written into a PMD entry, pointing to non\u2011existent memory or causing a NULL dereference. An attacker who can invoke the UFFDIO_MOVE ioctl can trigger a kernel crash or memory corruption, resulting in a denial of service and potential corruption of data used by other processes.", "risk_and_exploitability": "The CVSS score is 7.8 and the EPSS score is <1%, indicating a high severity but low exploitation probability. However, the vulnerability involves a kernel memory corruption scenario that can be triggered via a privileged ioctl. In environments where an attacker can reach kernel space\u2014such as a local privileged user or a compromised device\u2014the risk of a crash or data corruption is high. The vulnerability is not currently listed in CISA\u2019s KEV catalog, indicating no publicly known active exploitation at this time."}}}}, "created": "2026-04-03T21:13:16.272125+00:00", "updated": "2026-04-28T16:45:06.166176+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}