Description
In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: fix double free via VMA splitting

privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.

Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)

The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.

Fix this issue by adding a .may_split callback denying the VMA split.

This is XSA-487 / CVE-2026-31787
Published: 2026-04-30
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel has a double‑free flaw in the xen/privcmd virtual memory area handling. When a userspace process performs a partial munmap() on a privcmd mapping, the kernel splits the VMA, duplicating a pages array without proper cleanup. The original and split VMAs both reference the same array, and each VMA’s close handler frees the array, causing a double free. This kernel‑level memory corruption can be leveraged by an attacker. Based on the description, it is inferred that an attacker could potentially execute arbitrary code with elevated privileges, leading to full control over the system. The vulnerability also creates a denial‑of‑service avenue through kernel crashes or OOM conditions.

Affected Systems

All Linux kernel releases that include the xen/privcmd module before the patch addressing XSA‑487 (CVE‑2026‑31787) are affected. No specific version range is supplied; the fix applies to any kernel embedding the vulnerable code path.

Risk and Exploitability

The risk is high because the flaw occurs in kernel memory management and can be triggered by any user able to create a privcmd mapping. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the severity is effectively high due to the potential for arbitrary code execution. Based on the description, it is inferred that an attacker does not need advanced privileges to exploit the underlying code, though the exact attack surface (e.g., whether privileged processes exclusively create privcmd mappings) is not detailed in the description. The lack of a user‑controllable .may_split callback allows the split to proceed unconditionally, making the exploit path straightforward once the vulnerable mapping exists.

Generated by OpenCVE AI on May 1, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the XSA‑487 fix, which adds a .may_split callback to the privcmd vm_ops structure.
  • Reboot the system after the kernel update to ensure the patched VMA handling logic is active in all kernel components.
  • Verify that no untrusted or unprivileged users retain the ability to create privcmd mappings; adjust SELinux, AppArmor, or equivalent policies to restrict such operations until all vulnerable hardware and drivers are updated.

Generated by OpenCVE AI on May 1, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 30 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787
Title xen/privcmd: fix double free via VMA splitting
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-30T10:39:37.622Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31787

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T11:16:21.087

Modified: 2026-04-30T17:11:25.563

Link: CVE-2026-31787

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-31787 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses