Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: avoid use of half-online-committed context

One major usage of damon_call() is online DAMON parameters update. It is
done by calling damon_commit_ctx() inside the damon_call() callback
function. damon_commit_ctx() can fail for two reasons: 1) invalid
parameters and 2) internal memory allocation failures. In case of
failures, the damon_ctx that attempted to be updated (commit destination)
can be partially updated (or, corrupted from a perspective), and therefore
shouldn't be used anymore. The function only ensures the damon_ctx object
can safely deallocated using damon_destroy_ctx().

The API callers are, however, calling damon_commit_ctx() only after
asserting the parameters are valid, to avoid damon_commit_ctx() fails due
to invalid input parameters. But it can still theoretically fail if the
internal memory allocation fails. In the case, DAMON may run with the
partially updated damon_ctx. This can result in unexpected behaviors
including even NULL pointer dereference in case of damos_commit_dests()
failure [1]. Such allocation failure is arguably too small to fail, so
the real world impact would be rare. But, given the bad consequence, this
needs to be fixed.

Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving
the damon_commit_ctx() failure on the damon_ctx object. For this,
introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it
when it is failed. kdamond_call() checks if the field is set after each
damon_call_control->fn() is executed. If it is set, ignore remaining
callback requests and return. All kdamond_call() callers including
kdamond_fn() also check the maybe_corrupted field right after
kdamond_call() invocations. If the field is set, break the kdamond_fn()
main loop so that DAMON sill doesn't use the context that might be
corrupted.

[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel when the DAMON online monitoring context is updated. During a damon_call() callback, damon_commit_ctx() may fail due to memory allocation errors, leaving the damon_ctx partially updated. If the code continues to use this corrupted context, a NULL pointer dereference can occur, potentially crashing the kernel. This defect does not provide direct data leakage or malicious code execution, but can lead to a denial of service by forcing a system reboot or instability when the kernel attempts to use a corrupted DAMON context. The likely attack vector is a local process that invokes damon_call() in a way that triggers the allocation failure; external attackers would need elevated privileges to interact with the kernel DAMON subsystem to realize the impact.

Affected Systems

Linux kernel implementations are affected. The issue targets the kernel’s DAMON subsystem in any kernel that has not yet incorporated the patch that introduces damon_ctx->maybe_corrupted and the associated safety checks. Specific version information is not supplied in the CVE data; the vulnerability has been addressed in a series of kernel commits (see the provided references).

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability could theoretically be exploited in a local context where an attacker can trigger damon_call() failures, but the rarity of memory allocation failures makes real‑world exploitation unlikely. The primary risk is system instability rather than privilege escalation, and the exploitability depends on an attacker’s ability to manipulate the DAMON subsystem and to induce a memory allocation failure at a precise moment. Overall, the risk is modest but significant for systems relying on DAMON for performance monitoring. The issue is a Null Pointer Dereference (CWE-476).

Generated by OpenCVE AI on May 7, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch the kernel to a version that includes the damon_ctx->maybe_corrupted field and associated safety checks, as introduced in the recent kernel commits. Such a patch is available in the latest stable releases and in the 7.x release candidates; fully upgrade to a supported kernel that integrates these changes.
  • If an immediate kernel upgrade is not possible, disable the DAMON subsystem by setting its enable flag to off via the appropriate sysfs or sysctl entry (for example, echo "0" > /sys/kernel/mm/damon/enable) or by unloading the kdamond kernel module if it is loaded as a module. This eliminates the opportunity for a partially committed context to be used.
  • Monitor kernel logs for messages indicating NULL pointer dereference or DAMON-related failures, and investigate any such incidents promptly. Regularly review system stability and performance monitoring configurations to avoid unnecessary DAMON updates that could increase the likelihood of memory allocation failure.

Generated by OpenCVE AI on May 7, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 29 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CWE-690

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CWE-690

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid use of half-online-committed context One major usage of damon_call() is online DAMON parameters update. It is done by calling damon_commit_ctx() inside the damon_call() callback function. damon_commit_ctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damon_ctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damon_ctx object can safely deallocated using damon_destroy_ctx(). The API callers are, however, calling damon_commit_ctx() only after asserting the parameters are valid, to avoid damon_commit_ctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damon_ctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damos_commit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed. Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving the damon_commit_ctx() failure on the damon_ctx object. For this, introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it when it is failed. kdamond_call() checks if the field is set after each damon_call_control->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamond_call() callers including kdamond_fn() also check the maybe_corrupted field right after kdamond_call() invocations. If the field is set, break the kdamond_fn() main loop so that DAMON sill doesn't use the context that might be corrupted. [sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]
Title mm/damon/core: avoid use of half-online-committed context
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:50.744Z

Reserved: 2026-03-09T15:48:24.090Z

Link: CVE-2026-31445

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:38.177

Modified: 2026-05-07T19:23:11.047

Link: CVE-2026-31445

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31445 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:00:13Z

Weaknesses