CVE-2026-31457
Analyzed Analyzed - Analysis Complete
Null Pointer Dereference in Linux Kernel DAMON sysfs Component

Publication date: 2026-04-22

Last updated on: 2026-06-05

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: check contexts->nr in repeat_call_fn damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(), damon_sysfs_upd_schemes_stats(), and damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. If nr_contexts is set to 0 via sysfs while DAMON is running, these functions dereference contexts_arr[0] and cause a NULL pointer dereference. Add the missing check. For example, the issue can be reproduced using DAMON sysfs interface and DAMON user-space tool (damo) [1] like below. $ sudo damo start --refresh_interval 1s $ echo 0 | sudo tee \ /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31457
EUVD
EUVD-2026-24796
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.17 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's DAMON subsystem, specifically in the damon_sysfs_repeat_call_fn function. The function calls several update functions without checking the number of contexts (contexts->nr). If the number of contexts (nr_contexts) is set to 0 via the sysfs interface while DAMON is running, the functions attempt to dereference contexts_arr[0], which leads to a NULL pointer dereference.

This can cause the kernel to crash or behave unpredictably. The issue arises because the code lacks a check for zero contexts before accessing the array.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability. If exploited or triggered, it could result in denial of service by causing the system to crash or reboot unexpectedly.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the issue using the DAMON sysfs interface and the DAMON user-space tool (damo). Specifically, you can start the damo tool with a refresh interval and then set the nr_contexts to 0 via sysfs to check for a NULL pointer dereference.

  • Run the command: sudo damo start --refresh_interval 1s
  • Then execute: echo 0 | sudo tee /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts
Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the missing check for contexts->nr in damon_sysfs_repeat_call_fn() has been added. This prevents the NULL pointer dereference when nr_contexts is set to 0.

Until the update is applied, avoid setting nr_contexts to 0 via the DAMON sysfs interface while DAMON is running.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart