CVE-2026-31589 - Vulnerability Details

- mm: call ->free_folio() directly in folio_unmap_invalidate()

Description

In the Linux kernel, the following vulnerability has been resolved:

mm: call ->free_folio() directly in folio_unmap_invalidate()

We can only call filemap_free_folio() if we have a reference to (or hold a
lock on) the mapping. Otherwise, we've already removed the folio from the
mapping so it no longer pins the mapping and the mapping can be removed,
causing a use-after-free when accessing mapping->a_ops.

Follow the same pattern as __remove_mapping() and load the free_folio
function pointer before dropping the lock on the mapping. That lets us
make filemap_free_folio() static as this was the only caller outside
filemap.c.

Published: 2026-04-24

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in the Linux kernel memory manager, where a handler calls the free operation on a folio after the mapping lock has been released. This allows the folio to be freed while the mapping still exists, resulting in a use‑after‑free of mapping->a_ops. The flaw can lead to code execution in kernel mode, giving an attacker local privilege escalation.

Affected Systems

All current Linux kernel versions are potentially affected until a patched version is installed. The vulnerability is present in the generic Linux kernel, affecting all vendor builds that use the upstream kernel without the patch.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity vulnerability. The EPSS score is less than 1%, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw is a use‑after‑free in the kernel, an attacker with local access could potentially trigger it by manipulating memory mapping operations, leading to privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fb7d3bc4149395c1ae99029c852eab6c28fc3c88`	affected	< efc52947247a21bbf79059539bbbd40f4ea76f00
`fb7d3bc4149395c1ae99029c852eab6c28fc3c88`	affected	< b667df39d98a7a24be7c2a40ff0863dac1ad2cd7
`fb7d3bc4149395c1ae99029c852eab6c28fc3c88`	affected	< c330e65ea59c4805d6ab6757c4ddfe8c63acef31
`fb7d3bc4149395c1ae99029c852eab6c28fc3c88`	affected	< 615d9bb2ccad42f9e21d837431e401db2e471195

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.27`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fb7d3bc4149395c1ae99029c852eab6c28fc3c88,b667df39d98a7a24be7c2a40ff0863dac1ad2cd7)`	affected	code_commit	—
`[fb7d3bc4149395c1ae99029c852eab6c28fc3c88,c330e65ea59c4805d6ab6757c4ddfe8c63acef31)`	affected	code_commit	—
`[fb7d3bc4149395c1ae99029c852eab6c28fc3c88,615d9bb2ccad42f9e21d837431e401db2e471195)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that incorporates the fix for the use‑after‑free in folio_unmap_invalidate
Reboot the system to load the updated kernel
Consider disabling or limiting kernel modules that perform memory mapping operations until a patch is available

Generated by OpenCVE AI on April 28, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/615d9bb2ccad42f9e21d837431e401db2e471195
https://git.kernel.org/stable/c/b667df39d98a7a24be7c2a40ff0863dac1ad2cd7
https://git.kernel.org/stable/c/c330e65ea59c4805d6ab6757c4ddfe8c63acef31
https://git.kernel.org/stable/c/efc52947247a21bbf79059539bbbd40f4ea76f00
https://lore.kernel.org/linux-cve-announce/2026042414-CVE-2026-31589-18ae@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31589
https://www.cve.org/CVERecord?id=CVE-2026-31589

History

Thu, 07 May 2026 05:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/efc52947247a21bbf79059539bbbd40f4ea76f00

Tue, 28 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Tue, 28 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Tue, 28 Apr 2026 07:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Tue, 28 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026042414-CVE-2026-31589-18ae@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31589 https://www.cve.org/CVERecord?id=CVE-2026-31589
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/615d9bb2ccad42f9e21d837431e401db2e471195

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.
Title		mm: call ->free_folio() directly in folio_unmap_invalidate()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/b667df39d98a7a24be7c2a40ff0863dac1ad2cd7 https://git.kernel.org/stable/c/c330e65ea59c4805d6ab6757c4ddfe8c63acef31

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:16.955Z

Updated: 2026-05-11T22:11:42.830Z

Reserved: 2026-03-09T15:48:24.120Z

Link: CVE-2026-31589

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-04-24T15:16:34.700

Modified: 2026-05-07T06:16:03.710

Link: CVE-2026-31589

Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31589 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object