CVE-2026-31541 - Vulnerability Details

- tracing: Fix trace_marker copy link list updates

Description

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copy_trace_marker" option is enabled for an instance, anything
written into /sys/kernel/tracing/trace_marker is also copied into that
instances buffer. When the option is set, that instance's trace_array
descriptor is added to the marker_copies link list. This list is protected
by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared.
This also clears the copy_trace_marker flag and removes the trace_array
descriptor from the list.

The issue is after the flags are called, a direct call to
update_marker_trace() is performed to clear the flag. This function
returns true if the state of the flag changed and false otherwise. If it
returns true here, synchronize_rcu() is called to make sure all readers
see that its removed from the list.

But since the flag was already cleared, the state does not change and the
synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copy_trace_marker
option which then makes sure the synchronization is performed.

Also use the flag for checking the state in update_marker_trace() instead
of looking at if the list is empty.

Published: 2026-04-24

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic use‑after‑free in the Linux kernel’s trace_marker copy mechanism. When the copy_trace_marker option is enabled, data written to /sys/kernel/tracing/trace_marker is copied to an instance’s buffer and the instance’s descriptor is added to a list protected by RCU. During instance deletion, the flag that enables copying is cleared before the list is atomically removed, so the required RCU synchronization is omitted. This allows a reader to access freed memory, potentially corrupting the kernel or providing a foothold for arbitrary code execution. The flaw is consistent with CWE‑416 and CWE‑825, representing a critical kernel memory corruption risk.

Affected Systems

The issue appears in any Linux kernel that includes the trace_marker copy feature before the fix; it is vendor‑agnostic and applies to all releases that contain the unpatched implementation. No specific affected versions are listed in the data, so any kernel compiled with the copy_trace_marker option enabled is at risk.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating low observed exploitation probability to date. However, kernel use‑after‑free bugs typically carry a high impact rating and can be leveraged by an attacker with local privileges to crash the system or execute code with kernel privileges. The CVSS score is 7.8, reflecting a high severity evaluation. Attackers would need to enable or trigger the trace_marker write path while the copy option is active, which generally requires root or CAP_SYS_ADMIN privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86`	affected	< 75668e58244e63ec3785098a02e1cdcff14a6c2e
`7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86`	affected	< cc267e4b4302247dc67ef937a9ac587a696a43c1
`7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86`	affected	< 07183aac4a6828e474f00b37c9d795d0d99e18a7

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86,75668e58244e63ec3785098a02e1cdcff14a6c2e)`	affected	code_commit	—
`[7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86,cc267e4b4302247dc67ef937a9ac587a696a43c1)`	affected	code_commit	—
`[7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86,07183aac4a6828e474f00b37c9d795d0d99e18a7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a kernel version that includes the commit which removes the RCU synchronization bug
If an upgrade is not immediately possible, disable the copy_trace_marker feature by ensuring the "copy_trace_marker" option is turned off in kernel configuration or by writing a null value to the relevant sysfs entry before use
Refrain from writing to /sys/kernel/tracing/trace_marker on unpatched systems until the kernel is upgraded

Generated by OpenCVE AI on April 28, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7
https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e
https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1
https://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31541-af1d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31541
https://www.cve.org/CVERecord?id=CVE-2026-31541

History

Tue, 28 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31541-af1d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31541 https://www.cve.org/CVERecord?id=CVE-2026-31541

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.
Title		tracing: Fix trace_marker copy link list updates
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7 https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:33:10.505Z

Updated: 2026-05-11T22:10:46.355Z

Reserved: 2026-03-09T15:48:24.114Z

Link: CVE-2026-31541

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:28.117

Modified: 2026-04-28T18:50:29.970

Link: CVE-2026-31541

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31541 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object