CVE-2026-31787

Awaiting Analysis Awaiting Analysis - Queue

Double Free in Linux Kernel via VMA Splitting

Publication date: 2026-04-30

Last updated on: 2026-05-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-30

Last Modified

2026-05-06

Generated

2026-06-16

AI Q&A

2026-04-30

EPSS Evaluated

2026-06-15

NVD

CVE-2026-31787

EUVD

EUVD-2026-26365

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	From 5.11 (inc) to 5.15.204 (exc)
linux	linux_kernel	From 5.16 (inc) to 6.1.170 (exc)
linux	linux_kernel	From 6.2 (inc) to 6.6.137 (exc)
linux	linux_kernel	From 6.7 (inc) to 6.12.85 (exc)
linux	linux_kernel	7.1
linux	linux_kernel	7.1
linux	linux_kernel	From 6.13 (inc) to 6.18.26 (exc)
linux	linux_kernel	From 6.19 (inc) to 7.0.3 (exc)
linux	linux_kernel	From 3.8 (inc) to 5.10.254 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-415	The product calls free() twice on the same memory address.

Attack-Flow Graph

Detection Guidance

This vulnerability is a kernel-level issue in the Linux kernel's Xen privcmd driver involving a double free triggered by VMA splitting. Detection requires verifying if the system is running a vulnerable Linux kernel version with the affected privcmd driver.

Since the vulnerability requires root privileges to exploit and involves internal kernel memory management, there are no specific network-based detection methods or simple user-level commands to directly detect exploitation attempts.

To check if your system is potentially vulnerable, you can:

Verify the Linux kernel version is 3.8 or later and running Xen PVH or HVM domains (x86 or Arm).
Check if the privcmd driver is loaded or in use.

Example commands to gather this information include:

Check kernel version: `uname -r`
Check loaded modules for privcmd: `lsmod | grep privcmd`
Check Xen domain type and configuration (varies by environment, e.g., `xl info` or `xl list` for Xen domains)

Since no specific detection tools or signatures are provided, the best approach is to ensure the system is patched with the fix for XSA-487 / CVE-2026-31787.

Executive Summary

CVE-2026-31787 is a vulnerability in the Linux kernel's Xen privcmd driver involving a double free of kernel memory. The issue arises because the privcmd driver does not properly handle splitting of virtual memory areas (VMAs) when userspace performs a partial munmap() on a privcmd mapping. This leads to two VMAs pointing to the same pages array. When one VMA is closed, it frees the pages array, but the other VMA still holds a dangling pointer to the same memory. Later, when the second VMA is destroyed, it attempts to free the same memory again, causing a double free.

The root cause is the absence of a .may_split callback in the privcmd_vm_ops structure, which allows the VMA split to occur improperly. The fix involves adding a .may_split callback to deny the VMA split.

Impact Analysis

This vulnerability can be exploited only by a user with root privileges on affected Linux PVH or HVM domains running kernel versions 3.8 and later. The primary impact is the ability to bypass kernel lockdown (secure boot) protections, potentially undermining system security measures.

While the vulnerability can lead to a denial of service due to the double free, it is not considered to allow further system compromise beyond that. There is no mitigation other than applying the provided patch.

Mitigation Strategies

There is no available mitigation for this vulnerability other than applying the provided patch.

The vulnerability affects Linux PVH or HVM domains (x86 or Arm) running kernel versions 3.8 and later.

Immediate steps include obtaining and applying the patch (xsa487-linux.patch) that fixes the issue by adding a .may_split callback denying the VMA split.

Compliance Impact

This vulnerability allows a root user to bypass kernel lockdown (secure boot) protections by triggering a double free in kernel memory. However, exploitation requires root privileges, limiting its impact primarily to potential denial of service and circumvention of secure boot restrictions.

There is no direct information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-31787. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-31787

Double Free in Linux Kernel via VMA Splitting

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart