CVE-2026-31457 - Vulnerability Details

- mm/damon/sysfs: check contexts->nr in repeat_call_fn

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: check contexts->nr in repeat_call_fn

damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),
damon_sysfs_upd_schemes_stats(), and
damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr.
If nr_contexts is set to 0 via sysfs while DAMON is running, these
functions dereference contexts_arr[0] and cause a NULL pointer
dereference. Add the missing check.

For example, the issue can be reproduced using DAMON sysfs interface and
DAMON user-space tool (damo) [1] like below.

$ sudo damo start --refresh_interval 1s
$ echo 0 | sudo tee \
/sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts

Published: 2026-04-22

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a NULL pointer dereference in the Linux kernel Damon subsystem. When the number of contexts is set to zero through the sysfs interface while Damon is active, internal functions dereference a null pointer and crash the kernel. This results in a system halt rather than arbitrary code execution.

Affected Systems

The flaw exists in any Linux kernel that includes the Damon daemon monitoring functionality. It affects installations where the sysfs settings for Damon’s context count are accessible and can be modified while the daemon is running.

Risk and Exploitability

Because the vulnerability is triggered by writing to /sys/kernel/mm/damon/... the attacker requires privileged access (root or similar). Once the kernel crashes, the system becomes unavailable, creating a denial‑of‑service condition. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating no public exploitation yet. However, a local attacker with sufficient rights can easily trigger the issue using the damo utility or direct sysfs manipulation. The CVSS score is unspecified, but the impact is high for systems with a live Damon process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d809a7c64ba8229286b333c0cba03b1cdfb50238`	affected	< 3527e9fdc38570cea0f6ddb7a2c9303d4044b217
`d809a7c64ba8229286b333c0cba03b1cdfb50238`	affected	< 652cd0641a763dd0e846b0d12814977fadb2b7d8
`d809a7c64ba8229286b333c0cba03b1cdfb50238`	affected	< 6557004a8b59c7701e695f02be03c7e20ed1cc15

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d809a7c64ba8229286b333c0cba03b1cdfb50238,3527e9fdc38570cea0f6ddb7a2c9303d4044b217)`	affected	code_commit	—
`[d809a7c64ba8229286b333c0cba03b1cdfb50238,652cd0641a763dd0e846b0d12814977fadb2b7d8)`	affected	code_commit	—
`[d809a7c64ba8229286b333c0cba03b1cdfb50238,6557004a8b59c7701e695f02be03c7e20ed1cc15)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated kernel that includes the null‑pointer check in damon_sysfs_repeat_call_fn.
Disable or stop the Damon daemon before modifying its sysfs context settings.
Restrict write access to /sys/kernel/mm/damon/* to trusted administrators only.

Generated by OpenCVE AI on April 22, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3527e9fdc38570cea0f6ddb7a2c9303d4044b217
https://git.kernel.org/stable/c/652cd0641a763dd0e846b0d12814977fadb2b7d8
https://git.kernel.org/stable/c/6557004a8b59c7701e695f02be03c7e20ed1cc15
https://lore.kernel.org/linux-cve-announce/2026042250-CVE-2026-31457-601a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31457
https://www.cve.org/CVERecord?id=CVE-2026-31457

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026042250-CVE-2026-31457-601a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31457 https://www.cve.org/CVERecord?id=CVE-2026-31457

Wed, 22 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-690

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: check contexts->nr in repeat_call_fn damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(), damon_sysfs_upd_schemes_stats(), and damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. If nr_contexts is set to 0 via sysfs while DAMON is running, these functions dereference contexts_arr[0] and cause a NULL pointer dereference. Add the missing check. For example, the issue can be reproduced using DAMON sysfs interface and DAMON user-space tool (damo) [1] like below. $ sudo damo start --refresh_interval 1s $ echo 0 \| sudo tee \ /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts
Title		mm/damon/sysfs: check contexts->nr in repeat_call_fn
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3527e9fdc38570cea0f6ddb7a2c9303d4044b217 https://git.kernel.org/stable/c/652cd0641a763dd0e846b0d12814977fadb2b7d8 https://git.kernel.org/stable/c/6557004a8b59c7701e695f02be03c7e20ed1cc15

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:53:50.220Z

Updated: 2026-04-22T13:53:50.220Z

Reserved: 2026-03-09T15:48:24.092Z

Link: CVE-2026-31457

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:41.133

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31457

Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31457 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:15:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object