{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31575", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.119Z", "datePublished": "2026-04-24T14:42:07.502Z", "dateUpdated": "2026-05-11T22:11:26.533Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:26.533Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix hugetlb fault mutex hash calculation\n\nIn mfill_atomic_hugetlb(), linear_page_index() is used to calculate the\npage index for hugetlb_fault_mutex_hash(). However, linear_page_index()\nreturns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()\nexpects the index in huge page units. This mismatch means that different\naddresses within the same huge page can produce different hash values,\nleading to the use of different mutexes for the same huge page. This can\ncause races between faulting threads, which can corrupt the reservation\nmap and trigger the BUG_ON in resv_map_release().\n\nFix this by introducing hugetlb_linear_page_index(), which returns the\npage index in huge page granularity, and using it in place of\nlinear_page_index()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/hugetlb.h", "mm/userfaultfd.c"], "versions": [{"version": "a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3", "lessThan": "5a525c43baaba0bf3063f86996ca3623b71e4172", "status": "affected", "versionType": "git"}, {"version": "a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3", "lessThan": "574501ede47ac439afd67ba9812bc66722d500ba", "status": "affected", "versionType": "git"}, {"version": "a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3", "lessThan": "08282b1bf74c69fc8ecd25493e7fdb5460f01290", "status": "affected", "versionType": "git"}, {"version": "a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3", "lessThan": "f4689fc089765d36c026063fb22d23533e883eb6", "status": "affected", "versionType": "git"}, {"version": "a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3", "lessThan": "0217c7fb4de4a40cee667eb21901f3204effe5ac", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/hugetlb.h", "mm/userfaultfd.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.84", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5a525c43baaba0bf3063f86996ca3623b71e4172"}, {"url": "https://git.kernel.org/stable/c/574501ede47ac439afd67ba9812bc66722d500ba"}, {"url": "https://git.kernel.org/stable/c/08282b1bf74c69fc8ecd25493e7fdb5460f01290"}, {"url": "https://git.kernel.org/stable/c/f4689fc089765d36c026063fb22d23533e883eb6"}, {"url": "https://git.kernel.org/stable/c/0217c7fb4de4a40cee667eb21901f3204effe5ac"}], "title": "mm/userfaultfd: fix hugetlb fault mutex hash calculation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BC7BB9E-B7C1-413D-9B8D-BE033C486508", "versionEndExcluding": "6.12.84", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix hugetlb fault mutex hash calculation\n\nIn mfill_atomic_hugetlb(), linear_page_index() is used to calculate the\npage index for hugetlb_fault_mutex_hash(). However, linear_page_index()\nreturns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()\nexpects the index in huge page units. This mismatch means that different\naddresses within the same huge page can produce different hash values,\nleading to the use of different mutexes for the same huge page. This can\ncause races between faulting threads, which can corrupt the reservation\nmap and trigger the BUG_ON in resv_map_release().\n\nFix this by introducing hugetlb_linear_page_index(), which returns the\npage index in huge page granularity, and using it in place of\nlinear_page_index()."}], "id": "CVE-2026-31575", "lastModified": "2026-04-27T23:15:42.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:32.123", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0217c7fb4de4a40cee667eb21901f3204effe5ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/08282b1bf74c69fc8ecd25493e7fdb5460f01290"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/574501ede47ac439afd67ba9812bc66722d500ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5a525c43baaba0bf3063f86996ca3623b71e4172"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4689fc089765d36c026063fb22d23533e883eb6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: mm/userfaultfd: fix hugetlb fault mutex hash calculation", "id": "2461557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461557"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-821", "details": ["A flaw was found in the Linux kernel. A mismatch in the calculation of page indexes for huge pages within the `mm/userfaultfd` component can lead to race conditions between threads. These race conditions can corrupt the reservation map, potentially causing a system crash and resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31575", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31575\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31575\nhttps://lore.kernel.org/linux-cve-announce/2026042409-CVE-2026-31575-c1bf@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3,5a525c43baaba0bf3063f86996ca3623b71e4172)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3,574501ede47ac439afd67ba9812bc66722d500ba)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3,08282b1bf74c69fc8ecd25493e7fdb5460f01290)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3,f4689fc089765d36c026063fb22d23533e883eb6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a08c7193e4f18dc8508f2d07d0de2c5b94cb39a3,0217c7fb4de4a40cee667eb21901f3204effe5ac)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.84,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:08:36.936441+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the hugetlb_linear_page_index() fix.", "If updating is not immediately possible, restrict or disable the use of userfaultfd in combination with huge pages on affected systems.", "Monitor system logs for unexpected BUG_ON occurrences or kernel crashes and apply the patch as soon as it becomes available."], "summary": {"action": "Apply Patch", "impact": "Kernel memory corruption and potential crash"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that contain the buggy hugetlb fault handling routine before the fix, including all current and previous releases that have not yet incorporated the patch. The affected product is the Linux kernel, version unspecified in the advisory.", "description_and_impact": "In the Linux kernel, a race condition in hugetlb fault handling is triggered when the page index used to locate a hugetlb fault mutex does not match the expected huge page granularity. The mismatch leads to different mutexes being used for addresses within the same huge page, corrupting a reservation map and causing a BUG_ON on release. The flaw can cause kernel memory corruption, which may result in a system crash. The weakness is identified by CWE-821 and NVD-CWE-noinfo.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score is reported as less than 1%, indicating a low probability of exploitation in the wild. CVE-2026-31575 is not listed in CISA\u2019s KEV catalog. Exploitation would require an attacker to trigger the hugetlb fault mechanism, which can be done via the userfaultfd interface. An attacker with local user privileges could induce the race to crash the system, but remote or privilege\u2011escalating exploitation is not supported by the available information."}}}}, "created": "2026-04-27T19:00:15.729575+00:00", "updated": "2026-04-28T14:15:34.911923+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}