CVE-2026-31490
Published: 22 April 2026
Summary
CVE-2026-31490 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-31490 is a use-after-free vulnerability in the Linux kernel's drm/xe/pf component. The issue arises during migration restore operations: when xe_sriov_pf_migration_restore_produce() returns an error, the data pointer is not set to NULL, which can lead to a use-after-free condition in subsequent .write() calls.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, as scored by CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing arbitrary code execution or system crashes.
Kernel patches address the issue by explicitly setting the data pointer to NULL upon error in xe_sriov_pf_migration_restore_produce(). The fix, cherry-picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819, is available in stable kernel trees via commits at https://git.kernel.org/stable/c/87997b6c6516e049cbaf2fc6810b213d587a06b1 and https://git.kernel.org/stable/c/e28552b4ddea5cb4725380dd08237831af835124.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24860
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix use-after-free in migration restore When an error is returned from xe_sriov_pf_migration_restore_produce(), the data pointer is not set to NULL, which can trigger use-after-free in subsequent .write() calls. Set…
more
the pointer to NULL upon error to fix the problem. (cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in drm/xe/pf driver enables arbitrary code execution or crashes from low-privileged context, directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability by requiring timely application of the kernel patch that sets the data pointer to NULL upon error in xe_sriov_pf_migration_restore_produce().
Requires secure error handling that nullifies the data pointer on failure during migration restore to prevent use-after-free in subsequent .write() calls.
Implements memory protections such as KASLR and SMAP that mitigate exploitation of the use-after-free vulnerability in the kernel's drm/xe/pf component.