Cyber Resilience

CVE-2026-31493

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31493 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-31493 is a use-after-free vulnerability (CWE-416) in the Linux kernel's RDMA/efa driver. The flaw arises during admin queue completion handling: if an admin command completes with an error, the code prints data from the completion context after it has already been freed by the polling or interrupts handler. This results in accessing the context in an unknown state, as it may have been reused for another operation. The vulnerability was published on 2026-04-22 and carries a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation involves triggering the faulty admin queue completion path in the RDMA/efa driver, potentially leading to memory corruption, arbitrary code execution, or denial of service.

Mitigation is available through kernel patches merged into stable trees, as detailed in the following commit references: https://git.kernel.org/stable/c/0dd98aea1c0c45987fa2dd92f988b0eb1a72c125, https://git.kernel.org/stable/c/1cf95fe5dc5471efea947b4c6f8913da6bc7976e, and https://git.kernel.org/stable/c/ef3b06742c8a201d0e83edc9a33a89a4fe3009f8. These changes symmetrize the allocation and deallocation of the completion context, ensuring it is only freed after any potential use. Security practitioners should update affected Linux kernels promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is…

more

that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in Linux kernel driver enables local low-priv attacker to trigger memory corruption leading to arbitrary code execution and privilege escalation (high CIA impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.12, 7.0 · 5.12.1 — 6.18.21 · 6.19 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and patching of the use-after-free vulnerability in the Linux kernel's RDMA/efa driver as provided in stable kernel commits.

prevent

Implements kernel memory protections such as KASLR, SMEP, and KPTI that make exploitation of the use-after-free for code execution or corruption significantly harder.

prevent

Restricts system to least functionality by disabling the unnecessary RDMA/efa kernel driver on systems without compatible hardware, preventing exposure to the vulnerability.

References