CVE-2026-31445
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel DAMON Context Causes Potential Crashes

Publication date: 2026-04-22

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid use of half-online-committed context One major usage of damon_call() is online DAMON parameters update. It is done by calling damon_commit_ctx() inside the damon_call() callback function. damon_commit_ctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damon_ctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damon_ctx object can safely deallocated using damon_destroy_ctx(). The API callers are, however, calling damon_commit_ctx() only after asserting the parameters are valid, to avoid damon_commit_ctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damon_ctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damos_commit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed. Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving the damon_commit_ctx() failure on the damon_ctx object. For this, introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it when it is failed. kdamond_call() checks if the field is set after each damon_call_control->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamond_call() callers including kdamond_fn() also check the maybe_corrupted field right after kdamond_call() invocations. If the field is set, break the kdamond_fn() main loop so that DAMON sill doesn't use the context that might be corrupted. [[email protected]: let kdamond_call() with cancel regardless of maybe_corrupted]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31445
EUVD
EUVD-2026-24779
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.15 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's DAMON (Data Access Monitor) subsystem, specifically in the way it updates its context parameters using the damon_commit_ctx() function.

When damon_commit_ctx() is called to update DAMON parameters, it can fail due to invalid parameters or internal memory allocation failures. Although callers usually ensure parameters are valid to avoid failure, memory allocation failures can still occur.

If damon_commit_ctx() fails, the damon_ctx object being updated can become partially updated or corrupted. Despite this, the system might continue using this corrupted context, which can lead to unexpected behaviors, including potential NULL pointer dereferences.

The fix involves introducing a flag (maybe_corrupted) in the damon_ctx object to mark when a failure occurs. Subsequent operations check this flag and stop using the corrupted context to prevent further issues.

Impact Analysis

If this vulnerability is triggered, DAMON may operate with a partially updated or corrupted context, which can cause unexpected behaviors in the Linux kernel.

One possible impact is a NULL pointer dereference, which can lead to kernel crashes or system instability.

However, such failures due to memory allocation issues are considered rare in real-world scenarios, so the likelihood of impact is low but potentially severe if it occurs.

Mitigation Strategies

This vulnerability is related to the Linux kernel's DAMON subsystem and involves potential corruption of the damon_ctx object due to partial updates when memory allocation fails.

To mitigate this vulnerability, the recommended step is to update the Linux kernel to a version that includes the fix where the damon_commit_ctx() failure is properly handled by marking the damon_ctx as maybe_corrupted and preventing further use of a corrupted context.

Since the issue is fixed by kernel code changes, immediate mitigation involves applying the kernel patch or upgrading to a fixed kernel release.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart