{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31555", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.115Z", "datePublished": "2026-04-24T14:35:39.211Z", "dateUpdated": "2026-05-11T22:11:02.897Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:02.897Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n CPU0\t\t\t CPU1\t\t CPU2\n futex_lock_pi(uaddr)\n // acquires the PI futex\n exit()\n futex_cleanup_begin()\n futex_state = EXITING;\n\t\t\t futex_lock_pi(uaddr)\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t // observes EXITING\n\t\t\t\t *exiting = owner; // takes ref\n\t\t\t\t return -EBUSY\n\t\t\t wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct(); // drops ref\n\t\t\t // exiting still points to owner\n\t\t\t goto retry;\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/futex/pi.c"], "versions": [{"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "e7824ec168d2ac883a213cd1f4d6cc0816002a85", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "5e8e06bf8909e79b4acd950cf578cfc2f10bbefa", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "de7c0c04ad868f2cee6671b11c0a6d20421af1da", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "7475dfad10a05a5bfadebf5f2499bd61b19ed293", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "92e47ad03e03dbb5515bdf06444bf6b1e147310d", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "71112e62807d1925dc3ae6188b11f8cfc85aec23", "status": "affected", "versionType": "git"}, {"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba", "lessThan": "210d36d892de5195e6766c45519dfb1e65f3eb83", "status": "affected", "versionType": "git"}, {"version": "f2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463", "status": "affected", "versionType": "git"}, {"version": "cf16e42709aa86aa3e37f3acc3d13d5715d90096", "status": "affected", "versionType": "git"}, {"version": "61fa9f167caaa73d0a7c88f498eceeb12c6fa3db", "status": "affected", "versionType": "git"}, {"version": "7874eee0130adf9bee28e8720bb5dd051089def3", "status": "affected", "versionType": "git"}, {"version": "fc3b55ef2c840bb2746b2d8121a0788de84f7fac", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/futex/pi.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.158"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.172"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa"}, {"url": "https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85"}, {"url": "https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa"}, {"url": "https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da"}, {"url": "https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293"}, {"url": "https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d"}, {"url": "https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23"}, {"url": "https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83"}], "title": "futex: Clear stale exiting pointer in futex_lock_pi() retry path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "39A57944-7654-4465-9F2B-4DC1CB18ADFB", "versionEndExcluding": "4.5", "versionStartIncluding": "4.4.255", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F932A542-7872-4F86-AD1E-00CCC240C25D", "versionEndExcluding": "4.10", "versionStartIncluding": "4.9.255", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C62F59A2-9EFC-4E7F-B9E7-3DFF4E885406", "versionEndExcluding": "4.15", "versionStartIncluding": "4.14.158", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "235BE773-4E0B-4AD6-9314-D176A65C4B73", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.172", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "025DC0BA-08A8-4703-AE9F-7C3D8E346A45", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "45E871E1-B00E-4E88-83A3-60B38EAF2B8A", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*", "matchCriteriaId": "EE98F46A-F7D9-4609-B6A0-882E7F0D378C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n CPU0\t\t\t CPU1\t\t CPU2\n futex_lock_pi(uaddr)\n // acquires the PI futex\n exit()\n futex_cleanup_begin()\n futex_state = EXITING;\n\t\t\t futex_lock_pi(uaddr)\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t // observes EXITING\n\t\t\t\t *exiting = owner; // takes ref\n\t\t\t\t return -EBUSY\n\t\t\t wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct(); // drops ref\n\t\t\t // exiting still points to owner\n\t\t\t goto retry;\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi."}], "id": "CVE-2026-31555", "lastModified": "2026-04-27T20:14:27.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:29.837", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: futex: Clear stale exiting pointer in futex_lock_pi() retry path", "id": "2461473", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461473"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel. A local user could exploit a race condition within the `futex_lock_pi()` retry path. This vulnerability occurs because a stale pointer to an exiting process is not cleared, leading to a kernel warning. Successful exploitation of this flaw could result in a system crash, causing a Denial of Service (DoS)."], "name": "CVE-2026-31555", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31555\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31555\nhttps://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31555-ba94@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,e7824ec168d2ac883a213cd1f4d6cc0816002a85)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,5e8e06bf8909e79b4acd950cf578cfc2f10bbefa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,de7c0c04ad868f2cee6671b11c0a6d20421af1da)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,7475dfad10a05a5bfadebf5f2499bd61b19ed293)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,92e47ad03e03dbb5515bdf06444bf6b1e147310d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,71112e62807d1925dc3ae6188b11f8cfc85aec23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3ef240eaff36b8119ac9e2ea17cbf41179c930ba,210d36d892de5195e6766c45519dfb1e65f3eb83)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "cf16e42709aa86aa3e37f3acc3d13d5715d90096"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "61fa9f167caaa73d0a7c88f498eceeb12c6fa3db"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "7874eee0130adf9bee28e8720bb5dd051089def3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "fc3b55ef2c840bb2746b2d8121a0788de84f7fac"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:15:44.826627+00:00", "value": {"mitigation_remediation": ["Update the kernel to a patched version that addresses the futex retry path bug, such as the latest mainline or vendor released security update.", "Monitor system logs for WARN_ON_ONCE messages associated with futex_cleanup_begin or wait_for_owner_exiting to identify any remaining stale pointer issues.", "If a distro backport or errata fix is available, install the vendor\u2019s security update package that includes the futex fix; avoid using custom kernel builds until patched."], "summary": {"action": "Apply Patch", "impact": "Kernel Crash or Denial of Service"}, "threat_synthesis": {"affected_systems": "This bug affects Linux kernel builds that contain the buggy futex logic. Known affected kernel versions include at least 5.5 and all 7.0 pre\u2011release candidates (rc1\u2011rc7). The vulnerability applies to any distribution that ships with a kernel containing that code path until a patch is applied.", "description_and_impact": "The flaw exists in the Linux kernel\u2019s futex implementation. When a thread that owns a PI futex exits, the kernel records a reference to the exiting task. Subsequent retry attempts to acquire the same futex mistakenly reuse the stale task pointer because the reference is never nullified. This can trigger a kernel warning and, in the worst case, lead to a crash if the stale pointer is dereferenced. The issue does not directly provide a command\u2011or\u2011code\u2011execution path but can degrade kernel stability. The weakness is classified as CWE\u2011825, representing a race condition with unsafe use of race\u2011conditioned state.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a moderate risk, while the EPSS score of less than 1% indicates a very low probability that an attacker would successfully exploit it. The flaw is not listed in CISA\u2019s KEV catalog. Because the bug requires a specific kernel path that is exercised during normal futex usage, it is plausible only with local execution privileges. An attacker with local access could trigger repeated futex contention to provoke the stale pointer warning and potentially destabilize the system, but there is no publicly documented remote exploitation vector."}}}}, "created": "2026-04-27T19:15:11.616267+00:00", "updated": "2026-04-28T14:30:33.725881+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}