CVE-2026-31481
Received Received - Intake
Use-After-Free in Linux Kernel Tracing Causes Kernel Crash

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Drain deferred trigger frees if kthread creation fails Boot-time trigger registration can fail before the trigger-data cleanup kthread exists. Deferring those frees until late init is fine, but the post-boot fallback must still drain the deferred list if kthread creation never succeeds. Otherwise, boot-deferred nodes can accumulate on trigger_data_free_list, later frees fall back to synchronously freeing only the current object, and the older queued entries are leaked forever. To trigger this, add the following to the kernel command line: trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon The second traceon trigger will fail and be freed. This triggers a NULL pointer dereference and crashes the kernel. Keep the deferred boot-time behavior, but when kthread creation fails, drain the whole queued list synchronously. Do the same in the late-init drain path so queued entries are not stranded there either.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31481
EUVD
EUVD-2026-24841
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 6.19
linux linux_kernel From 6.19.1 (inc) to 6.19.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tracing subsystem. It occurs when boot-time trigger registration fails before the trigger-data cleanup kernel thread (kthread) is created. Normally, deferred frees are handled later during initialization, but if the kthread creation fails, the deferred free list is not properly drained. This causes boot-deferred nodes to accumulate indefinitely, leading to memory leaks.

Specifically, if a second trace trigger fails to register (for example, by adding certain parameters to the kernel command line), it causes a NULL pointer dereference that crashes the kernel. The fix involves ensuring that when kthread creation fails, the entire deferred free list is synchronously drained to prevent leaks and crashes.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference triggered by failed trace trigger registration during boot. Additionally, it can lead to memory leaks as deferred free nodes accumulate indefinitely if the cleanup thread is not created.

The impact includes system instability and potential denial of service due to kernel crashes, which can affect system availability and reliability.

Detection Guidance

This vulnerability can be triggered by adding specific parameters to the kernel command line that cause a NULL pointer dereference and kernel crash.

  • Check if the kernel command line includes: trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon
  • Monitor for kernel crashes or NULL pointer dereferences related to tracing triggers.
Mitigation Strategies

Immediate mitigation involves ensuring that the kernel is updated to a version where this vulnerability is fixed.

Avoid using the kernel command line parameters that trigger the vulnerability, specifically the double traceon triggers for sched_switch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart