CVE-2026-31467
Published: 22 April 2026
Summary
CVE-2026-31467 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-31467 by requiring timely remediation through application of kernel patches that add memalloc_noio wrappers to prevent deadlocks in bio completion paths during memory pressure.
Addresses the high-impact denial-of-service effect of the vulnerability by implementing protections against remote attacks triggering EROFS decompression deadlocks.
Protects availability of memory and I/O resources to counter deadlocks from vm_map_ram swapping during bio completion in process context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly enables remote exploitation of a kernel deadlock bug in EROFS decompression/bio completion, causing endpoint DoS via system hang (matches T1499.004 Application or System Exploitation).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: erofs: add GFP_NOIO in the bio completion if needed The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context…
more
for minimal scheduling latencies, which can then call vm_map_ram() with GFP_KERNEL. Due to insufficient memory, vm_map_ram() may generate memory swapping I/O, which can cause submit_bio_wait to deadlock in some scenarios. Trimmed down the call stack, as follows: f2fs_submit_read_io submit_bio //bio_list is initialized. mmc_blk_mq_recovery z_erofs_endio vm_map_ram __pte_alloc_kernel __alloc_pages_direct_reclaim shrink_folio_list __swap_writepage submit_bio_wait //bio_list is non-NULL, hang!!! Use memalloc_noio_{save,restore}() to wrap up this path.
Deeper analysisAI
CVE-2026-31467 is a vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. The issue occurs in the bio completion path when processed in the process context, such as with dm-verity, where decompression directly invokes vm_map_ram() using GFP_KERNEL. Under memory pressure, this can trigger swapping I/O via __pte_alloc_kernel, leading to a deadlock in submit_bio_wait when bio_list is non-NULL, as demonstrated in a call stack involving f2fs_submit_read_io, mmc_blk_mq_recovery, z_erofs_endio, and subsequent memory allocation functions.
A remote network attacker with no privileges or user interaction can exploit this vulnerability with low complexity, achieving a high-impact denial of service. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its potential to cause system hangs or deadlocks during read I/O operations on affected filesystems, particularly in scenarios involving EROFS decompression and block device recovery.
Mitigation requires applying upstream kernel patches, as detailed in the referenced stable commit fixes: 378949f46e897204384f3f5f91e42e93e3f87568, 5c8ecdcfbfb0b0c6a82a4ebadc1ddea61609b902, c23df30915f83e7257c8625b690a1cece94142a0, d6565ea662e17d45a577184b0011bd69de22dc2b, and d9d8360cb66e3b599d89d2526e7da8b530ebf2ff. These commits introduce memalloc_noio_{save,restore}() wrappers around the affected bio completion path to prevent I/O during memory allocation.
Details
- CWE(s)