CVE-2026-31787
Awaiting Analysis Awaiting Analysis - Queue
Double Free in Linux Kernel via VMA Splitting

Publication date: 2026-04-30

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-04-30
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31787
EUVD
EUVD-2026-26365
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.11 (inc) to 5.15.204 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.170 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.137 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.85 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.26 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.3 (exc)
linux linux_kernel From 3.8 (inc) to 5.10.254 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is a kernel-level issue in the Linux kernel's Xen privcmd driver involving a double free triggered by VMA splitting. Detection requires verifying if the system is running a vulnerable Linux kernel version with the affected privcmd driver.

Since the vulnerability requires root privileges to exploit and involves internal kernel memory management, there are no specific network-based detection methods or simple user-level commands to directly detect exploitation attempts.

To check if your system is potentially vulnerable, you can:

  • Verify the Linux kernel version is 3.8 or later and running Xen PVH or HVM domains (x86 or Arm).
  • Check if the privcmd driver is loaded or in use.

Example commands to gather this information include:

  • Check kernel version: `uname -r`
  • Check loaded modules for privcmd: `lsmod | grep privcmd`
  • Check Xen domain type and configuration (varies by environment, e.g., `xl info` or `xl list` for Xen domains)

Since no specific detection tools or signatures are provided, the best approach is to ensure the system is patched with the fix for XSA-487 / CVE-2026-31787.


Can you explain this vulnerability to me?

CVE-2026-31787 is a vulnerability in the Linux kernel's Xen privcmd driver involving a double free of kernel memory. The issue arises because the privcmd driver does not properly handle splitting of virtual memory areas (VMAs) when userspace performs a partial munmap() on a privcmd mapping. This leads to two VMAs pointing to the same pages array. When one VMA is closed, it frees the pages array, but the other VMA still holds a dangling pointer to the same memory. Later, when the second VMA is destroyed, it attempts to free the same memory again, causing a double free.

The root cause is the absence of a .may_split callback in the privcmd_vm_ops structure, which allows the VMA split to occur improperly. The fix involves adding a .may_split callback to deny the VMA split.


How can this vulnerability impact me? :

This vulnerability can be exploited only by a user with root privileges on affected Linux PVH or HVM domains running kernel versions 3.8 and later. The primary impact is the ability to bypass kernel lockdown (secure boot) protections, potentially undermining system security measures.

While the vulnerability can lead to a denial of service due to the double free, it is not considered to allow further system compromise beyond that. There is no mitigation other than applying the provided patch.


What immediate steps should I take to mitigate this vulnerability?

There is no available mitigation for this vulnerability other than applying the provided patch.

The vulnerability affects Linux PVH or HVM domains (x86 or Arm) running kernel versions 3.8 and later.

Immediate steps include obtaining and applying the patch (xsa487-linux.patch) that fixes the issue by adding a .may_split callback denying the VMA split.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a root user to bypass kernel lockdown (secure boot) protections by triggering a double free in kernel memory. However, exploitation requires root privileges, limiting its impact primarily to potential denial of service and circumvention of secure boot restrictions.

There is no direct information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart