Description
In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: fix double free via VMA splitting

privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.

Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)

The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.

Fix this issue by adding a .may_split callback denying the VMA split.

This is XSA-487 / CVE-2026-31787
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a double‑free flaw in the xen/privcmd memory handling code. When a userspace process performs a partial munmap() on a privcmd mapping, the kernel splits the VMA without a .may_split check. The split creates a duplicate VM object that points to the same pages array, and both the original and split VMAs close handlers free that array. The double free in kernel space can corrupt kernel memory and allow an attacker to execute arbitrary code with elevated privileges.

Affected Systems

All Linux kernel releases that include the unpatched xen/privcmd module are vulnerable, because the issue is triggered by any kernel that still contains the original privcmd implementation. No specific version range is provided in the advisory, so any kernel before the XSA‑487 patch that contains the old privcmd code may be affected.

Risk and Exploitability

The CVSS score of 7.8 denotes moderate to high severity, and the EPSS score of <1% indicates a low overall exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The description does not state the exact attack surface, but the likely attack vector is a userspace process that has the ability to create a privcmd mapping—a privilege that is normally reserved for trusted system components or privileged users. Based on the description, it is inferred that an attacker controlling such a privileged process could trigger the double free and then abuse the resulting kernel memory corruption to obtain arbitrary code execution.

Generated by OpenCVE AI on May 6, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the XSA‑487 patch, which adds a .may_split callback to the privcmd vm_ops structure.
  • Reboot the system after applying the kernel update to load the patched code into all kernel components.
  • Ensure that only trusted, privileged processes are allowed to create privcmd mappings; tighten SELinux, AppArmor, or equivalent policies to restrict or deny this operation for untrusted users.

Generated by OpenCVE AI on May 6, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 04 May 2026 08:45:00 +0000

Type Values Removed Values Added
References

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 30 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787
Title xen/privcmd: fix double free via VMA splitting
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:48.239Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31787

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T11:16:21.087

Modified: 2026-05-06T19:38:53.743

Link: CVE-2026-31787

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-31787 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:00:14Z

Weaknesses