Cyber Resilience

CVE-2026-31490

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31490 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-31490 is a use-after-free vulnerability in the Linux kernel's drm/xe/pf component. The issue arises during migration restore operations: when xe_sriov_pf_migration_restore_produce() returns an error, the data pointer is not set to NULL, which can lead to a use-after-free condition in subsequent .write() calls.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, as scored by CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing arbitrary code execution or system crashes.

Kernel patches address the issue by explicitly setting the data pointer to NULL upon error in xe_sriov_pf_migration_restore_produce(). The fix, cherry-picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819, is available in stable kernel trees via commits at https://git.kernel.org/stable/c/87997b6c6516e049cbaf2fc6810b213d587a06b1 and https://git.kernel.org/stable/c/e28552b4ddea5cb4725380dd08237831af835124.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix use-after-free in migration restore When an error is returned from xe_sriov_pf_migration_restore_produce(), the data pointer is not set to NULL, which can trigger use-after-free in subsequent .write() calls. Set…

more

the pointer to NULL upon error to fix the problem. (cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in drm/xe/pf driver enables arbitrary code execution or crashes from low-privileged context, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 7.0 · 6.19.1 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely application of the kernel patch that sets the data pointer to NULL upon error in xe_sriov_pf_migration_restore_produce().

prevent

Requires secure error handling that nullifies the data pointer on failure during migration restore to prevent use-after-free in subsequent .write() calls.

prevent

Implements memory protections such as KASLR and SMAP that mitigate exploitation of the use-after-free vulnerability in the kernel's drm/xe/pf component.

References