CVE-2026-31397
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Linux Kernel move_pages_huge_pmd

Publication date: 2026-04-03

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap. In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL, pgprot) passes NULL through folio_pfn() and page_to_pfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference. Use page_folio(src_page) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout. After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vm_normal_page_pmd() continues to treat them as special mappings. move_pages_huge_pmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmd_special() on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result, vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount. Instead of reconstructing the PMD from the folio, derive the destination entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD metadata the same way move_huge_pmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31397
EUVD
EUVD-2026-18776
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 6.16 (inc) to 6.18.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's memory management subsystem, specifically in the function move_pages_huge_pmd(). The function handles moving huge pages, including huge zero pages, but incorrectly uses a NULL folio as a sentinel value. This leads to passing NULL through functions that expect valid memory references, which on some memory models results in creating a page middle directory (PMD) entry pointing to non-existent physical memory, and on others causes a NULL pointer dereference.

The root cause is that the code reconstructs the destination PMD entry incorrectly for huge zero pages, dropping special PMD state flags. This causes the system to treat special huge zero page mappings as normal pages, potentially corrupting reference counts and memory management metadata.

The fix involves properly obtaining the valid huge zero folio from the page instead of using NULL, and preserving PMD metadata by deriving the destination PMD entry correctly and marking it with appropriate flags.

Impact Analysis

This vulnerability can lead to memory corruption or system crashes due to invalid memory references or corrupted reference counts in the Linux kernel's memory management. Specifically, it can cause the kernel to reference non-existent physical memory or dereference NULL pointers, potentially leading to system instability or denial of service.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the handling of NULL folio in move_pages_huge_pmd(). To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix described in the commit d82d09e48219.

This update ensures that huge zero PMDs remain special and prevents corruption of reference counts by properly handling PMD metadata instead of reconstructing the PMD from the folio.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart