{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31652", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.128Z", "datePublished": "2026-04-24T14:45:04.930Z", "dateUpdated": "2026-05-11T22:12:57.491Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:57.491Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/stat: deallocate damon_call() failure leaking damon_ctx\n\ndamon_stat_start() always allocates the module's damon_ctx object\n(damon_stat_context). Meanwhile, if damon_call() in the function fails,\nthe damon_ctx object is not deallocated. Hence, if the damon_call() is\nfailed, and the user writes Y to \u201cenabled\u201d again, the previously\nallocated damon_ctx object is leaked.\n\nThis cannot simply be fixed by deallocating the damon_ctx object when\ndamon_call() fails. That's because damon_call() failure doesn't guarantee\nthe kdamond main function, which accesses the damon_ctx object, is\ncompletely finished. In other words, if damon_stat_start() deallocates\nthe damon_ctx object after damon_call() failure, the not-yet-terminated\nkdamond could access the freed memory (use-after-free).\n\nFix the leak while avoiding the use-after-free by keeping returning\ndamon_stat_start() without deallocating the damon_ctx object after\ndamon_call() failure, but deallocating it when the function is invoked\nagain and the kdamond is completely terminated. If the kdamond is not yet\nterminated, simply return -EAGAIN, as the kdamond will soon be terminated.\n\nThe issue was discovered [1] by sashiko."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/damon/stat.c"], "versions": [{"version": "405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8", "lessThan": "447f8870b484f6596d7a7130e72bd0a3f1e037bb", "status": "affected", "versionType": "git"}, {"version": "405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8", "lessThan": "16c92e9bf55fa049ddb5e894dc0623dacd46a620", "status": "affected", "versionType": "git"}, {"version": "405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8", "lessThan": "4c04c6b47c361612b1d70cec8f7a60b1482d1400", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/damon/stat.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb"}, {"url": "https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620"}, {"url": "https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400"}], "title": "mm/damon/stat: deallocate damon_call() failure leaking damon_ctx", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DC92196-2D7B-4F07-A19F-B43E0624C441", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.17.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/stat: deallocate damon_call() failure leaking damon_ctx\n\ndamon_stat_start() always allocates the module's damon_ctx object\n(damon_stat_context). Meanwhile, if damon_call() in the function fails,\nthe damon_ctx object is not deallocated. Hence, if the damon_call() is\nfailed, and the user writes Y to \u201cenabled\u201d again, the previously\nallocated damon_ctx object is leaked.\n\nThis cannot simply be fixed by deallocating the damon_ctx object when\ndamon_call() fails. That's because damon_call() failure doesn't guarantee\nthe kdamond main function, which accesses the damon_ctx object, is\ncompletely finished. In other words, if damon_stat_start() deallocates\nthe damon_ctx object after damon_call() failure, the not-yet-terminated\nkdamond could access the freed memory (use-after-free).\n\nFix the leak while avoiding the use-after-free by keeping returning\ndamon_stat_start() without deallocating the damon_ctx object after\ndamon_call() failure, but deallocating it when the function is invoked\nagain and the kdamond is completely terminated. If the kdamond is not yet\nterminated, simply return -EAGAIN, as the kdamond will soon be terminated.\n\nThe issue was discovered [1] by sashiko."}], "id": "CVE-2026-31652", "lastModified": "2026-04-27T20:16:12.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:44.697", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx", "id": "2461492", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461492"}, "csaw": false, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel. When the `damon_stat_start()` function fails to complete its operation, a memory leak can occur. If a user attempts to re-enable the DAMON (Data Access MONitor) feature, previously allocated memory for the `damon_ctx` object is not properly deallocated, leading to a persistent memory leak. This can result in resource exhaustion over time, potentially impacting system stability."], "name": "CVE-2026-31652", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31652\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31652\nhttps://lore.kernel.org/linux-cve-announce/2026042400-CVE-2026-31652-e967@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8,447f8870b484f6596d7a7130e72bd0a3f1e037bb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8,16c92e9bf55fa049ddb5e894dc0623dacd46a620)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8,4c04c6b47c361612b1d70cec8f7a60b1482d1400)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:47:25.924888+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that contains the fix for the damon_ctx deallocation issue, such as any release newer than Linux kernel 6.17 or post\u20117.0 RC5.\nReboot the system after applying the updated kernel to ensure the patched code is loaded.\nIf an immediate kernel upgrade is not feasible, disable or remove the kdamond subsystem (or the feature that enables damon_stat_start) until a patch is available to prevent the allocation path from being exercised."], "summary": {"action": "Immediate Patch", "impact": "Use-after-Free"}, "threat_synthesis": {"affected_systems": "This issue affects the Linux kernel in releases 6.17 and all 7.0 release candidates (rc1 through rc7). It is therefore relevant to any distribution that ships one of these kernel versions or later until the vendor applies the fix.", "description_and_impact": "The Linux kernel contains a flaw in mm/damon/stat where the damon_ctx object allocated by damon_stat_start() is not properly freed when damon_call() fails. This oversight allows the context to leak memory after the user re\u2011enables the feature, and if the object were to be freed prematurely the kdamond process could later access the freed memory leading to a use\u2011after\u2011free condition. The consequence is a kernel memory leak that can culminate in kernel instability or a local denial of service if the attacker can repeatedly allocate and fail to trigger the cleaner. The weakness is classified as CWE\u2011416 (Use\u2011After\u2011Free) and CWE\u2011772 (resource leak).", "risk_and_exploitability": "The CVSS score of 7.8 reflects moderate to high severity, while the EPSS score of less than 1% indicates that exploitation is unlikely to be observed in the wild but is still possible. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The likely attack vector is local; an attacker with kernel\u2011level privileges can cause the allocation and subsequent failure to trigger the memory leak or potential use\u2011after\u2011free, leading to a denial of service or further kernel compromise if combined with other local vulnerabilities."}}}}, "created": "2026-04-27T18:45:11.316415+00:00", "updated": "2026-04-28T14:00:16.481805+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}