CVE-2026-31458
NULL Pointer Dereference in Linux Kernel DAMON sysfs Interface
Publication date: 2026-04-22
Last updated on: 2026-05-05
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 5.18 (inc) to 6.6.131 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's DAMON subsystem, specifically in the sysfs interface for managing DAMON contexts.
The issue arises because multiple sysfs command paths access an array element contexts_arr[0] without first checking if the number of contexts (nr) is equal to 1.
A privileged user can set the number of contexts (nr_contexts) to 0 via sysfs while DAMON is running, which causes the system to dereference a NULL pointer when it tries to access contexts_arr[0].
This NULL pointer dereference can be triggered by executing certain commands through sysfs, such as 'update_schemes_stats', 'update_schemes_tried_regions', and others, leading to potential crashes or instability.
How can this vulnerability impact me? :
This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to system crashes or kernel panics.
Since the issue can be triggered by privileged users, it could be exploited to cause denial of service by crashing the system or making it unstable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the conditions that cause the NULL pointer dereference in the DAMON subsystem of the Linux kernel.
Specifically, start DAMON and set the number of contexts to zero using sysfs, then execute certain commands that trigger the issue.
- # damon start
- # cd /sys/kernel/mm/damon/admin/kdamonds/0
- # echo 0 > contexts/nr_contexts
After setting nr_contexts to 0, running any of the following commands will cause the NULL pointer dereference if the vulnerability is present:
- # echo update_schemes_stats > state
- # echo update_schemes_tried_regions > state
- # echo update_schemes_tried_bytes > state
- # echo update_schemes_effective_quotas > state
- # echo update_tuned_intervals > state
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that the DAMON sysfs command handler properly checks the number of contexts before accessing contexts_arr[0].
Specifically, guard all commands (except the OFF command) at the entry point of damon_sysfs_handle_cmd() to verify that contexts->nr is not zero before dereferencing contexts_arr[0].