CVE-2026-31463
Analyzed Analyzed - Analysis Complete

Invalid Folio Access Vulnerability in Linux Kernel iomap Component

Vulnerability report for CVE-2026-31463, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-22

Last updated on: 2026-05-07

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio access when i_blkbits differs from I/O granularity Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folio_end_read()") partially addressed invalid folio access for folios without an ifs attached, but it did not handle the case where 1 << inode->i_blkbits matches the folio size but is different from the granularity used for the IO, which means IO can be submitted for less than the full folio for the !ifs case. In this case, the condition: if (*bytes_submitted == folio_len) ctx->cur_folio = NULL; in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and iomap_read_end() will still be called on the folio even though the IO helper owns it and will finish the read on it. Fix this by unconditionally invalidating ctx->cur_folio for the !ifs case.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-22
Last Modified
2026-05-07
Generated
2026-07-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iomap subsystem, where invalid folio access can occur when the block size (i_blkbits) differs from the I/O granularity. Specifically, the fix for invalid folio access after folio_end_read() did not cover cases where the folio size matches 1 << inode->i_blkbits but differs from the I/O granularity. This mismatch can cause I/O operations to be submitted for less than the full folio, leading to a situation where the current folio context is not properly invalidated. As a result, iomap_read_end() may be called on a folio that the I/O helper owns, potentially causing incorrect handling of the read operation.

Impact Analysis

The vulnerability can lead to improper handling of memory folios during I/O operations in the Linux kernel. This may cause data corruption or unexpected behavior during read operations, as the kernel might operate on folios that are no longer valid or owned by the I/O helper. Such issues could affect system stability, data integrity, and reliability of file system operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31463. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart