CVE-2026-31468
Published: 22 April 2026
Summary
CVE-2026-31468 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through kernel patching directly resolves the double free vulnerability in the VFIO PCI dma-buf feature by applying the available stable commits.
Memory protection mechanisms like KASLR, SMEP, and SMAP mitigate exploitation of the double free by complicating memory corruption attacks from local low-privilege users.
Robust error handling ensures balanced resource management in error paths, preventing unbalanced refcounts and double frees during file descriptor exhaustion in VFIO PCI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free memory corruption in kernel VFIO driver directly enables local exploitation for privilege escalation to achieve arbitrary code execution and full system compromise (C/I/A impact).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Fix double free in dma-buf feature The error path through vfio_pci_core_feature_dma_buf() ignores its own advice to only use dma_buf_put() after dma_buf_export(), instead falling through the entire unwind chain. In…
more
the unlikely event that we encounter file descriptor exhaustion, this can result in an unbalanced refcount on the vfio device and double free of allocated objects. Avoid this by moving the "put" directly into the error path and return the errno rather than entering the unwind chain.
Deeper analysisAI
CVE-2026-31468 is a double free vulnerability in the Linux kernel's VFIO PCI driver, specifically within the dma-buf feature handled by vfio_pci_core_feature_dma_buf(). The issue occurs in the error path during file descriptor exhaustion scenarios, where the function fails to properly balance dma_buf_put() calls after dma_buf_export(), leading to an unbalanced reference count on the VFIO device and subsequent double free of allocated objects.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges. Exploitation requires low complexity and no user interaction, potentially allowing the attacker to achieve high impacts on confidentiality, integrity, and availability through memory corruption resulting from the double free.
Mitigation patches are available via Linux kernel stable repository commits at https://git.kernel.org/stable/c/83ad334afc9a645cef1062f5346526b1e36d6516 and https://git.kernel.org/stable/c/e98137f0a874ab36d0946de4707aa48cb7137d1c. These fixes relocate the dma_buf_put() call directly into the error path and return the errno, bypassing the unwind chain to prevent the unbalanced refcount and double free.
Details
- CWE(s)