CVE-2026-31463
Published: 22 April 2026
Summary
CVE-2026-31463 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31463 is a critical vulnerability in the Linux kernel's iomap subsystem, stemming from improper handling of folios without an inline folio state (ifs) attached. Specifically, when the block size defined by 1 << inode->i_blkbits matches the folio size but differs from the I/O granularity, partial I/O submissions fail to invalidate the current folio context properly. This leads to invalid folio access, as iomap_read_folio_iter() does not clear ctx->cur_folio when bytes submitted equal folio length in non-ifs cases, causing iomap_read_end() to process a folio still owned by the I/O helper.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely by unauthenticated attackers with low complexity and no user interaction. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or denial of service within the kernel context.
Mitigation is available through kernel patches committed to stable branches, including commits 4a927f670cdb0def226f9f85f42a9f19d9e09c88 and bd71fb3fea9945987053968f028a948997cba8cc on git.kernel.org. These fixes unconditionally invalidate ctx->cur_folio in non-ifs cases to prevent the invalid access. Security practitioners should update affected Linux kernels to incorporate these stable commits.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24805
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio access when i_blkbits differs from I/O granularity Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folio_end_read()") partially addressed invalid folio access for folios without an ifs…
more
attached, but it did not handle the case where 1 << inode->i_blkbits matches the folio size but is different from the granularity used for the IO, which means IO can be submitted for less than the full folio for the !ifs case. In this case, the condition: if (*bytes_submitted == folio_len) ctx->cur_folio = NULL; in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and iomap_read_end() will still be called on the folio even though the IO helper owns it and will finish the read on it. Fix this by unconditionally invalidating ctx->cur_folio for the !ifs case.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel iomap flaw enables arbitrary code execution (and DoS/data corruption) in kernel context; directly maps to exploitation for privilege escalation to obtain root/system-level access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through kernel patching directly prevents exploitation of the iomap folio invalid access vulnerability.
Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31463's improper folio handling in the iomap subsystem.
Enforcing documented secure configuration settings for kernel versions and I/O parameters partially mitigates risks from mismatched block and I/O granularity.