Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]

Multiple sysfs command paths dereference contexts_arr[0] without first
verifying that kdamond->contexts->nr == 1. A user can set nr_contexts to
0 via sysfs while DAMON is running, causing NULL pointer dereferences.

In more detail, the issue can be triggered by privileged users like
below.

First, start DAMON and make contexts directory empty
(kdamond->contexts->nr == 0).

# damo start
# cd /sys/kernel/mm/damon/admin/kdamonds/0
# echo 0 > contexts/nr_contexts

Then, each of below commands will cause the NULL pointer dereference.

# echo update_schemes_stats > state
# echo update_schemes_tried_regions > state
# echo update_schemes_tried_bytes > state
# echo update_schemes_effective_quotas > state
# echo update_tuned_intervals > state

Guard all commands (except OFF) at the entry point of
damon_sysfs_handle_cmd().
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via NULL pointer dereference in the Linux DAMON sysfs interface
Action: Immediate Patch
AI Analysis

Impact

A bug in the Linux kernel DAMON subsystem allows a privileged user to dereference a null pointer when manipulating context objects through sysfs, causing a kernel crash. The flaw arises because the code does not verify that the number of contexts equals one before accessing the first context array element. The resulting crash can interrupt services running on the affected machine, leading to service outages and potential loss of availability. The likely attack vector is local privileged users with write access to the /sys filesystem.

Affected Systems

All Linux kernel versions that include the DAMON (Designation of Areas for Monitoring On-demand) module are potentially affected; the specific patch was applied to the kernel code without enumerating affected releases, so users should verify their kernel version against the latest available release that incorporates the fix.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA KEV, and the CVSS score is 5.5. A user with root or equivalent privilege can trigger the flaw by writing 0 to the "nr_contexts" attribute in the DAMON sysfs hierarchy and then issuing any of the state commands that exercise the uninitialized context. Because the kernel ultimately crashes, the exploit leads to a denial of service. The risk remains high for systems that enable and expose DAMON to privileged users.

Generated by OpenCVE AI on April 28, 2026 at 15:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that corrects the null‑pointer dereference in the DAMON sysfs handler
  • Upgrade to the latest kernel release that contains the fix
  • If the patch cannot be applied immediately, disable the DAMON module or restrict write access to /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts

Generated by OpenCVE AI on April 28, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 05 May 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Multiple sysfs command paths dereference contexts_arr[0] without first verifying that kdamond->contexts->nr == 1. A user can set nr_contexts to 0 via sysfs while DAMON is running, causing NULL pointer dereferences. In more detail, the issue can be triggered by privileged users like below. First, start DAMON and make contexts directory empty (kdamond->contexts->nr == 0). # damo start # cd /sys/kernel/mm/damon/admin/kdamonds/0 # echo 0 > contexts/nr_contexts Then, each of below commands will cause the NULL pointer dereference. # echo update_schemes_stats > state # echo update_schemes_tried_regions > state # echo update_schemes_tried_bytes > state # echo update_schemes_effective_quotas > state # echo update_tuned_intervals > state Guard all commands (except OFF) at the entry point of damon_sysfs_handle_cmd().
Title mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:07.003Z

Reserved: 2026-03-09T15:48:24.092Z

Link: CVE-2026-31458

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:41.260

Modified: 2026-05-05T21:23:03.250

Link: CVE-2026-31458

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31458 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:45:06Z

Weaknesses