Cyber Resilience

CVE-2026-31397

HighUpdated

Published: 03 April 2026

Published
03 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31397 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-31397 is a vulnerability in the Linux kernel's mm/huge_memory subsystem, specifically in the move_pages_huge_pmd() function. This function handles UFFDIO_MOVE operations for both transparent huge pages (THPs) and huge zero pages. When processing huge zero pages, src_folio is set to NULL as a sentinel to skip certain folio operations, but this leads to issues: folio_mk_pmd() passes NULL through folio_pfn() and page_to_pfn(), resulting in a bogus PFN under SPARSEMEM_VMEMMAP (installing a PMD pointing to non-existent memory) or a NULL dereference on other memory models. Additionally, reconstructing the destination PMD drops special PMD state (e.g., pmd_special()), causing vm_normal_page_pmd() to mishandle it as a normal page and corrupt refcounts.

The vulnerability can be exploited by a local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U). Such an attacker could trigger the flawed handling during userfaultfd (UFFDIO_MOVE) operations on huge zero PMDs, potentially leading to memory corruption, NULL dereferences, or installation of invalid PMD entries. This achieves high impacts on confidentiality, integrity, and availability (CVSS 7.8: C:H/I:H/A:H), such as arbitrary memory access, process crashes, or kernel instability.

Mitigation involves applying the upstream kernel patches referenced in the stable git repositories, including commits e3133d0986dc5a231d5419167dbac65312b28b41, f3caaee0f9e489fd2282d4ce45791dc8aed2da62, and fae654083bfa409bb2244f390232e2be47f05bfc. These fixes ensure valid folio retrieval via page_folio(src_page) for huge zero pages and properly derive the destination PMD from src_pmdval while preserving special metadata, marking it soft-dirty, and clearing uffd-wp as in move_huge_pmd().

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to…

more

NULL, and is used as a sentinel to skip folio operations like lock and rmap. In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL, pgprot) passes NULL through folio_pfn() and page_to_pfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference. Use page_folio(src_page) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout. After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vm_normal_page_pmd() continues to treat them as special mappings. move_pages_huge_pmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmd_special() on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result, vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount. Instead of reconstructing the PMD from the folio, derive the destination entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD metadata the same way move_huge_pmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel memory corruption (arbitrary access, NULL deref, invalid PMD) in move_pages_huge_pmd() directly enables privilege escalation via exploitation (T1068), credential access via memory reads (T1212), and system crashes/DoS via invalid page mappings (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31404Same product: Linux Linux Kernel
CVE-2026-23198Same product: Linux Linux Kernel
CVE-2026-31657Same product: Linux Linux Kernel
CVE-2026-22992Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2026-31453Same product: Linux Linux Kernel
CVE-2026-31600Same product: Linux Linux Kernel
CVE-2026-22998Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-31638Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.16 — 6.18.20 · 6.19 — 6.19.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific kernel flaw in move_pages_huge_pmd() by applying upstream patches to prevent memory corruption.

prevent

Enforces secure kernel configuration settings like disabling transparent huge pages to avoid triggering the vulnerable UFFDIO_MOVE code path on huge zero pages.

prevent

Implements kernel memory protections such as SMEP/SMAP and page table isolation to mitigate impacts of bogus PFNs and refcount corruption from invalid PMD installations.

References