Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-31787

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
30/04/2026
Last modified:
06/05/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen/privcmd: fix double free via VMA splitting<br /> <br /> privcmd_vm_ops defines .close (privcmd_close), but neither .may_split<br /> nor .open. When userspace does a partial munmap() on a privcmd mapping,<br /> the kernel splits the VMA via __split_vma(). Since may_split is NULL,<br /> the split is allowed. vm_area_dup() copies vm_private_data (a pages<br /> array allocated in alloc_empty_pages()) into the new VMA without any<br /> fixup, because there is no .open callback.<br /> <br /> Both VMAs now point to the same pages array. When the unmapped portion<br /> is closed, privcmd_close() calls:<br /> - xen_unmap_domain_gfn_range()<br /> - xen_free_unpopulated_pages()<br /> - kvfree(pages)<br /> <br /> The surviving VMA still holds the dangling pointer. When it is later<br /> destroyed, the same sequence runs again, which leads to a double free.<br /> <br /> Fix this issue by adding a .may_split callback denying the VMA split.<br /> <br /> This is XSA-487 / CVE-2026-31787

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.8 (including) 5.10.254 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.204 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.170 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.137 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.85 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.26 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.3 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools