CVE-2026-31787
- Source
- https://cve.org/CVERecord?id=CVE-2026-31787
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31787.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31787
- Downstream
- Related
- Published
- 2026-04-30T10:31:28.992Z
- Modified
- 2026-05-18T05:59:54.860221778Z
- Summary
- xen/privcmd: fix double free via VMA splitting
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmdvmops defines .close (privcmdclose), but neither .maysplit nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __splitvma(). Since maysplit is NULL, the split is allowed. vmareadup() copies vmprivatedata (a pages array allocated in allocemptypages()) into the new VMA without any fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmdclose() calls: - xenunmapdomaingfnrange() - xenfreeunpopulatedpages() - kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31787.json" }- References
-
- http://www.openwall.com/lists/oss-security/2026/04/28/14
- https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5
- https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a
- https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f
- https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808
- https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95
- https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0
- https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850
- https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4
- http://xenbits.xen.org/xsa/advisory-487.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31787.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31787
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd71f513985c22f1050295d1a7e4327cf9fb060daFixeddbf862ce9f009128ab86b234d91413a3e450beb4Fixed2b985d3a024b9e8c24e21671b34e855569763808Fixed1576ff3869cbd3620717195f971c85b7d7fd62b5Fixed402d84ad9e89bd4cbfd07ca8598532b7021daf95Fixed2894a351fe2ea8684919d36df3188b9a35e3926fFixed446ee446d9ae66f36e95c3c90bbcc4e56b94cde0Fixed71bf829800758a6e3889096e4754ef47ba7fc850Fixed24daca4fc07f3ff8cd0e3f629cd982187f48436a
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced3.8.0Fixed5.10.254
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.204
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.170
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.137
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.85
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.26
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed7.0.3