CVE-2026-31686
Awaiting Analysis Awaiting Analysis - Queue
Double Free Vulnerability in Linux Kernel KASAN Page Table Handling

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. This fixes the below double free kasan issue seen with PMEM: radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages ================================================================== BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20 Free of addr c0000003c38e0000 by task ndctl/2164 CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries Call Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec ---- interrupt: 3000 at 0x7fff93b3d3f4 NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000 REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392) MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208 XER: 00000000 <...> NIP [00007fff93b3d3f4] 0x7fff93b3d3f4 LR [00007fff93b3d3f4] 0x7fff93b3d3f4 ---- interrupt: 3000 The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected [ 138.953636] [ T2164] Memory state around the buggy address: [ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953669] [ T2164] ^ [ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953692] [ T2164] ================================================================== [ 138.953701] [ T2164] Disabling lock debugging due to kernel taint
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31686
EUVD
EUVD-2026-25882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.19.0-rc1-00048-gea1013c15392
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a double free issue in the Linux kernel's memory management subsystem related to KASAN (Kernel Address Sanitizer). Specifically, the function kasan_free_pxd() incorrectly assumes that the page table is always aligned to a struct page, which is not true for all architectures such as powerpc with 64K page size. This misalignment can cause the same memory to be freed twice, leading to memory corruption.

The problem occurs because the PUD table (page upper directory) comes from a slab cache with a different alignment than expected. The fix involves passing the start of the pxd table directly instead of converting it via page_to_virt(), preventing the double free error.


How can this vulnerability impact me? :

This double free vulnerability can lead to memory corruption in the Linux kernel, which may cause system instability, crashes, or unpredictable behavior. In some cases, such memory corruption could be exploited by attackers to escalate privileges or execute arbitrary code within the kernel context, compromising system security.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a double free error detected by KASAN (Kernel Address Sanitizer) in the Linux kernel. Detection typically involves monitoring kernel logs for KASAN error messages indicating double free issues related to kasan_remove_zero_shadow or kasan_free_pxd.

To detect this vulnerability on your system, you should check the kernel logs for KASAN reports. You can use commands such as:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan
  • grep -i kasan /var/log/kern.log

These commands help identify if the kernel has reported any double free or memory corruption errors related to KASAN, which would indicate the presence of this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the handling of kasan_free_pxd() in the Linux kernel to avoid double free errors. Immediate mitigation involves updating your Linux kernel to a version that includes this fix.

Since this is a kernel-level issue, the recommended step is to apply the latest kernel patches or upgrade to a kernel version where this issue is resolved.

Additionally, monitoring kernel logs for KASAN errors and avoiding workloads that trigger this bug (such as those involving PMEM on affected architectures) until the patch is applied can help reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart