In the Linux kernel, the following vulnerability has been resolved:
mm: call ->freefolio() directly in foliounmap_invalidate()
We can only call filemapfreefolio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops.
Follow the same pattern as __removemapping() and load the freefolio function pointer before dropping the lock on the mapping. That lets us make filemapfreefolio() static as this was the only caller outside filemap.c.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31589.json"
}