CVE-2026-31597

Source
https://cve.org/CVERecord?id=CVE-2026-31597
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31597.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31597
Downstream
Related
Published
2026-04-24T14:42:22.655Z
Modified
2026-06-18T03:57:06.560051795Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix use-after-free in ocfs2fault() when VMFAULT_RETRY

filemapfault() may drop the mmaplock before returning VMFAULTRETRY, as documented in mm/filemap.c:

"If our return value has VMFAULTRETRY set, it's because the mmaplock may be dropped before doing I/O or by lockfoliomaybedrop_mmap()."

When this happens, a concurrent munmap() can call removevma() and free the vmareastruct via RCU. The saved 'vma' pointer in ocfs2fault() then becomes a dangling pointer, and the subsequent traceocfs2fault() call dereferences it -- a use-after-free.

Fix this by saving ipblkno as a plain integer before calling filemapfault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31597.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
614a9e849ca6ea24843795251cb30af525d5336b
Fixed
36539c4d536f851a3b346a6ebb27b51bc3d77a94
Fixed
35c2c05261d6f6d84aaa1355afa201d507943e76
Fixed
3f5e74b5db9353b01ed50f4de84e75b755f8fbc2
Fixed
6f072daefcab1d84ce37c073645615f63be91006
Fixed
4cf2768a0291a0cdd0dae801ea0eafa3878a349d
Fixed
d45ff441b416d4aa1af72b1db23d959601c04da2
Fixed
76a602fdbb78dd05b2da06f74a988cebc97e82d0
Fixed
925bf22c1b823e231b1baea761fe8a1512e442f2
Fixed
7de554cabf160e331e4442e2a9ad874ca9875921

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31597.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.39
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31597.json"