Description
In the Linux kernel, the following vulnerability has been resolved:

mm/userfaultfd: fix hugetlb fault mutex hash calculation

In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the
page index for hugetlb_fault_mutex_hash(). However, linear_page_index()
returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()
expects the index in huge page units. This mismatch means that different
addresses within the same huge page can produce different hash values,
leading to the use of different mutexes for the same huge page. This can
cause races between faulting threads, which can corrupt the reservation
map and trigger the BUG_ON in resv_map_release().

Fix this by introducing hugetlb_linear_page_index(), which returns the
page index in huge page granularity, and using it in place of
linear_page_index().
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption and potential crash
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, a race condition in hugetlb fault handling is triggered when the page index used to locate a hugetlb fault mutex does not match the expected huge page granularity. The mismatch leads to different mutexes being used for addresses within the same huge page, corrupting a reservation map and causing a BUG_ON on release. The flaw can cause kernel memory corruption, which may result in a system crash. The weakness is identified by CWE-821 and NVD-CWE-noinfo.

Affected Systems

All Linux kernel builds that contain the buggy hugetlb fault handling routine before the fix, including all current and previous releases that have not yet incorporated the patch. The affected product is the Linux kernel, version unspecified in the advisory.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is reported as less than 1%, indicating a low probability of exploitation in the wild. CVE-2026-31575 is not listed in CISA’s KEV catalog. Exploitation would require an attacker to trigger the hugetlb fault mechanism, which can be done via the userfaultfd interface. An attacker with local user privileges could induce the race to crash the system, but remote or privilege‑escalating exploitation is not supported by the available information.

Generated by OpenCVE AI on April 28, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the hugetlb_linear_page_index() fix.
  • If updating is not immediately possible, restrict or disable the use of userfaultfd in combination with huge pages on affected systems.
  • Monitor system logs for unexpected BUG_ON occurrences or kernel crashes and apply the patch as soon as it becomes available.

Generated by OpenCVE AI on April 28, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release(). Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index().
Title mm/userfaultfd: fix hugetlb fault mutex hash calculation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:26.533Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31575

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.123

Modified: 2026-04-27T23:15:42.890

Link: CVE-2026-31575

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31575 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses