Description
In the Linux kernel, the following vulnerability has been resolved:

tracing: Drain deferred trigger frees if kthread creation fails

Boot-time trigger registration can fail before the trigger-data cleanup
kthread exists. Deferring those frees until late init is fine, but the
post-boot fallback must still drain the deferred list if kthread
creation never succeeds.

Otherwise, boot-deferred nodes can accumulate on
trigger_data_free_list, later frees fall back to synchronously freeing
only the current object, and the older queued entries are leaked
forever.

To trigger this, add the following to the kernel command line:

trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon

The second traceon trigger will fail and be freed. This triggers a NULL
pointer dereference and crashes the kernel.

Keep the deferred boot-time behavior, but when kthread creation fails,
drain the whole queued list synchronously. Do the same in the late-init
drain path so queued entries are not stranded there either.
Published: 2026-04-22
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash via NULL pointer dereference
Action: Apply patch
AI Analysis

Impact

In the Linux kernel, a bug in the tracing subsystem allows faulty boot‑time trigger registration to leak memory and trigger a NULL pointer dereference, causing an immediate kernel crash. The flaw manifests when a second traceon trigger fails to start its cleanup kthread before the deferred trigger list is drained, leaving orphaned entries that are freed later as a null pointer. The resulting crash disrupts system availability and can be triggered through a modified kernel boot command line.

Affected Systems

The vulnerability affects all Linux kernel builds that contain the old tracing implementation prior to the applied patch. All current kernel releases that have not incorporated the fix remain susceptible; the exact affected kernel versions are not enumerated in the data.

Risk and Exploitability

No CVSS or EPSS score is reported, and the flaw is not included in the CISA KEV catalog, indicating limited public exploitation data. The exploit requires precise control of the kernel boot command line, so it is effectively a local attack that only succeeds if the attacker can modify boot parameters or influence a compromised machine’s bootloader. The lack of a public exploit suggests a low exploitation probability, but the impact of a kernel crash is severe and warrants remediation.

Generated by OpenCVE AI on April 22, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the tracing fix.
  • If an immediate kernel upgrade is not possible, remove or avoid using the second traceon trigger that is known to fail, ensuring only successful triggers are enabled on the command line.
  • Reboot the system after making the changes to enforce the updated kernel or modified boot settings.

Generated by OpenCVE AI on April 22, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tracing: Drain deferred trigger frees if kthread creation fails Boot-time trigger registration can fail before the trigger-data cleanup kthread exists. Deferring those frees until late init is fine, but the post-boot fallback must still drain the deferred list if kthread creation never succeeds. Otherwise, boot-deferred nodes can accumulate on trigger_data_free_list, later frees fall back to synchronously freeing only the current object, and the older queued entries are leaked forever. To trigger this, add the following to the kernel command line: trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon The second traceon trigger will fail and be freed. This triggers a NULL pointer dereference and crashes the kernel. Keep the deferred boot-time behavior, but when kthread creation fails, drain the whole queued list synchronously. Do the same in the late-init drain path so queued entries are not stranded there either.
Title tracing: Drain deferred trigger frees if kthread creation fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:54:08.236Z

Reserved: 2026-03-09T15:48:24.100Z

Link: CVE-2026-31481

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:45.340

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31481

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31481 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses