{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31600", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.121Z", "datePublished": "2026-04-24T14:42:24.641Z", "dateUpdated": "2026-04-24T14:42:24.641Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-24T14:42:24.641Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: Handle invalid large leaf mappings correctly\n\nIt has been possible for a long time to mark ptes in the linear map as\ninvalid. This is done for secretmem, kfence, realm dma memory un/share,\nand others, by simply clearing the PTE_VALID bit. But until commit\na166563e7ec37 (\"arm64: mm: support large block mapping when\nrodata=full\") large leaf mappings were never made invalid in this way.\n\nIt turns out various parts of the code base are not equipped to handle\ninvalid large leaf mappings (in the way they are currently encoded) and\nI've observed a kernel panic while booting a realm guest on a\nBBML2_NOABORT system as a result:\n\n[ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers\n[ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000\n[ 15.513762] Mem abort info:\n[ 15.527245] ESR = 0x0000000096000046\n[ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.572146] SET = 0, FnV = 0\n[ 15.592141] EA = 0, S1PTW = 0\n[ 15.612694] FSC = 0x06: level 2 translation fault\n[ 15.640644] Data abort info:\n[ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n[ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n[ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000\n[ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704\n[ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP\n[ 15.886394] Modules linked in:\n[ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT\n[ 15.935258] Hardware name: linux,dummy-virt (DT)\n[ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c\n[ 16.006163] lr : swiotlb_bounce+0xf4/0x158\n[ 16.024145] sp : ffff80008000b8f0\n[ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000\n[ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000\n[ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0\n[ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc\n[ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974\n[ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018\n[ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000\n[ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000\n[ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000\n[ 16.349071] Call trace:\n[ 16.360143] __pi_memcpy_generic+0x128/0x22c (P)\n[ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4\n[ 16.400282] swiotlb_map+0x5c/0x228\n[ 16.415984] dma_map_phys+0x244/0x2b8\n[ 16.432199] dma_map_page_attrs+0x44/0x58\n[ 16.449782] virtqueue_map_page_attrs+0x38/0x44\n[ 16.469596] virtqueue_map_single_attrs+0xc0/0x130\n[ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc\n[ 16.510355] try_fill_recv+0x2a4/0x584\n[ 16.526989] virtnet_open+0xd4/0x238\n[ 16.542775] __dev_open+0x110/0x24c\n[ 16.558280] __dev_change_flags+0x194/0x20c\n[ 16.576879] netif_change_flags+0x24/0x6c\n[ 16.594489] dev_change_flags+0x48/0x7c\n[ 16.611462] ip_auto_config+0x258/0x1114\n[ 16.628727] do_one_initcall+0x80/0x1c8\n[ 16.645590] kernel_init_freeable+0x208/0x2f0\n[ 16.664917] kernel_init+0x24/0x1e0\n[ 16.680295] ret_from_fork+0x10/0x20\n[ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)\n[ 16.723106] ---[ end trace 0000000000000000 ]---\n[ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/include/asm/pgtable-prot.h", "arch/arm64/include/asm/pgtable.h", "arch/arm64/mm/mmu.c", "arch/arm64/mm/pageattr.c", "arch/arm64/mm/trans_pgd.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8140b21d19015227a28c255404462f2d3e6edc9a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "747b6482e4e227fd351197dde6f64a97107a9e52", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "cbea627ea634f41c79d18f0c6d20db66fa93514c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/include/asm/pgtable-prot.h", "arch/arm64/include/asm/pgtable.h", "arch/arm64/mm/mmu.c", "arch/arm64/mm/pageattr.c", "arch/arm64/mm/trans_pgd.c"], "versions": [{"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8140b21d19015227a28c255404462f2d3e6edc9a"}, {"url": "https://git.kernel.org/stable/c/747b6482e4e227fd351197dde6f64a97107a9e52"}, {"url": "https://git.kernel.org/stable/c/cbea627ea634f41c79d18f0c6d20db66fa93514c"}], "title": "arm64: mm: Handle invalid large leaf mappings correctly", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: Handle invalid large leaf mappings correctly\n\nIt has been possible for a long time to mark ptes in the linear map as\ninvalid. This is done for secretmem, kfence, realm dma memory un/share,\nand others, by simply clearing the PTE_VALID bit. But until commit\na166563e7ec37 (\"arm64: mm: support large block mapping when\nrodata=full\") large leaf mappings were never made invalid in this way.\n\nIt turns out various parts of the code base are not equipped to handle\ninvalid large leaf mappings (in the way they are currently encoded) and\nI've observed a kernel panic while booting a realm guest on a\nBBML2_NOABORT system as a result:\n\n[ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers\n[ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000\n[ 15.513762] Mem abort info:\n[ 15.527245] ESR = 0x0000000096000046\n[ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.572146] SET = 0, FnV = 0\n[ 15.592141] EA = 0, S1PTW = 0\n[ 15.612694] FSC = 0x06: level 2 translation fault\n[ 15.640644] Data abort info:\n[ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n[ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n[ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000\n[ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704\n[ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP\n[ 15.886394] Modules linked in:\n[ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT\n[ 15.935258] Hardware name: linux,dummy-virt (DT)\n[ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c\n[ 16.006163] lr : swiotlb_bounce+0xf4/0x158\n[ 16.024145] sp : ffff80008000b8f0\n[ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000\n[ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000\n[ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0\n[ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc\n[ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974\n[ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018\n[ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000\n[ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000\n[ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000\n[ 16.349071] Call trace:\n[ 16.360143] __pi_memcpy_generic+0x128/0x22c (P)\n[ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4\n[ 16.400282] swiotlb_map+0x5c/0x228\n[ 16.415984] dma_map_phys+0x244/0x2b8\n[ 16.432199] dma_map_page_attrs+0x44/0x58\n[ 16.449782] virtqueue_map_page_attrs+0x38/0x44\n[ 16.469596] virtqueue_map_single_attrs+0xc0/0x130\n[ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc\n[ 16.510355] try_fill_recv+0x2a4/0x584\n[ 16.526989] virtnet_open+0xd4/0x238\n[ 16.542775] __dev_open+0x110/0x24c\n[ 16.558280] __dev_change_flags+0x194/0x20c\n[ 16.576879] netif_change_flags+0x24/0x6c\n[ 16.594489] dev_change_flags+0x48/0x7c\n[ 16.611462] ip_auto_config+0x258/0x1114\n[ 16.628727] do_one_initcall+0x80/0x1c8\n[ 16.645590] kernel_init_freeable+0x208/0x2f0\n[ 16.664917] kernel_init+0x24/0x1e0\n[ 16.680295] ret_from_fork+0x10/0x20\n[ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)\n[ 16.723106] ---[ end trace 0000000000000000 ]---\n[ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000\n---truncated---"}], "id": "CVE-2026-31600", "lastModified": "2026-04-24T17:51:40.810", "metrics": {}, "published": "2026-04-24T15:16:38.920", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/747b6482e4e227fd351197dde6f64a97107a9e52"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8140b21d19015227a28c255404462f2d3e6edc9a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cbea627ea634f41c79d18f0c6d20db66fa93514c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: arm64: mm: Handle invalid large leaf mappings correctly", "id": "2461514", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461514"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-372", "details": ["A flaw was found in the Linux kernel's memory management for the arm64 architecture. The kernel incorrectly processes invalid large leaf mappings, which are specific entries used to manage system memory. This vulnerability can be triggered by a local user or a guest operating system, leading to a kernel panic and a denial of service, making the system unavailable."], "name": "CVE-2026-31600", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31600\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31600\nhttps://lore.kernel.org/linux-cve-announce/2026042418-CVE-2026-31600-3260@gregkh/T"], "threat_severity": "Moderate"}

{}