CVE-2026-31397 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge
zero pages. For the huge zero page path, src_folio is explicitly set to
NULL, and is used as a sentinel to skip folio operations like lock and
rmap.

In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL,
pgprot) passes NULL through folio_pfn() and page_to_pfn(). With
SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD
pointing to non-existent physical memory. On other memory models it is a
NULL dereference.

Use page_folio(src_page) to obtain the valid huge zero folio from the
page, which was obtained from pmd_page() and remains valid throughout.

After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge
zero folio special"), moved huge zero PMDs must remain special so
vm_normal_page_pmd() continues to treat them as special mappings.

move_pages_huge_pmd() currently reconstructs the destination PMD in the
huge zero page branch, which drops PMD state such as pmd_special() on
architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result,
vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page
and corrupt its refcount.

Instead of reconstructing the PMD from the folio, derive the destination
entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD
metadata the same way move_huge_pmd() does for moved entries by marking it
soft-dirty and clearing uffd-wp.

Published: 2026-04-03

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The move_pages_huge_pmd function in the Linux kernel mishandles a NULL folio when moving huge zero pages. This bug causes a bogus page frame number to be written into a PMD entry, pointing to non-existent memory or causing a NULL dereference. An attacker who can invoke the UFFDIO_MOVE ioctl can trigger a kernel crash or memory corruption, resulting in a denial of service and potential corruption of data used by other processes.

Affected Systems

Linux kernels that contain the buggy move_pages_huge_pmd implementation are affected. The exact affected release series is not listed in the advisory, so any kernel version prior to the commit that introduces this fix is potentially vulnerable.

Risk and Exploitability

The CVSS score is not available in the advisory and the EPSS score is missing, so the precise risk level is unclear. However, the vulnerability involves a kernel memory corruption scenario that can be triggered via a privileged ioctl. In environments where an attacker can reach kernel space—such as a local privileged user or a compromised device—the risk of a crash or data corruption is high. The vulnerability is not currently listed in CISA’s KEV catalog, indicating no publicly known active exploitation at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e3981db444a0a18d350d9f92e3f2e8d489b54211`	affected	< f3caaee0f9e489fd2282d4ce45791dc8aed2da62
`e3981db444a0a18d350d9f92e3f2e8d489b54211`	affected	< e3133d0986dc5a231d5419167dbac65312b28b41
`e3981db444a0a18d350d9f92e3f2e8d489b54211`	affected	< fae654083bfa409bb2244f390232e2be47f05bfc

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e3981db444a0a18d350d9f92e3f2e8d489b54211,f3caaee0f9e489fd2282d4ce45791dc8aed2da62)`	affected	code_commit	—
`[e3981db444a0a18d350d9f92e3f2e8d489b54211,e3133d0986dc5a231d5419167dbac65312b28b41)`	affected	code_commit	—
`[e3981db444a0a18d350d9f92e3f2e8d489b54211,fae654083bfa409bb2244f390232e2be47f05bfc)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.20,6.18.*]`	unaffected	generic	—
`[6.19.10,6.19.*]`	unaffected	generic	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates commit d82d09e48219 or later, which fixes the NULL folio handling in move_pages_huge_pmd.
Verify that your system’s kernel version includes the proper patch before resuming normal operations.
If an immediate kernel update is not possible, monitor vendor advisories for additional guidance and treat the systems as potentially vulnerable to denial of service.

Generated by OpenCVE AI on April 3, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/e3133d0986dc5a231d5419167dbac65312b28b41
https://git.kernel.org/stable/c/f3caaee0f9e489fd2282d4ce45791dc8aed2da62
https://git.kernel.org/stable/c/fae654083bfa409bb2244f390232e2be47f05bfc
https://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31397-8672@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31397
https://www.cve.org/CVERecord?id=CVE-2026-31397

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31397-8672@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31397 https://www.cve.org/CVERecord?id=CVE-2026-31397

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap. In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL, pgprot) passes NULL through folio_pfn() and page_to_pfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference. Use page_folio(src_page) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout. After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vm_normal_page_pmd() continues to treat them as special mappings. move_pages_huge_pmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmd_special() on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result, vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount. Instead of reconstructing the PMD from the folio, derive the destination entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD metadata the same way move_huge_pmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.
Title		mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/e3133d0986dc5a231d5419167dbac65312b28b41 https://git.kernel.org/stable/c/f3caaee0f9e489fd2282d4ce45791dc8aed2da62 https://git.kernel.org/stable/c/fae654083bfa409bb2244f390232e2be47f05bfc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:16:01.427Z

Updated: 2026-04-03T15:16:01.427Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31397

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:38.093

Modified: 2026-04-03T16:16:38.093

Link: CVE-2026-31397

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31397 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:15:29Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object