CVE-2026-31493
Published: 22 April 2026
Summary
CVE-2026-31493 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-31493 is a use-after-free vulnerability (CWE-416) in the Linux kernel's RDMA/efa driver. The flaw arises during admin queue completion handling: if an admin command completes with an error, the code prints data from the completion context after it has already been freed by the polling or interrupts handler. This results in accessing the context in an unknown state, as it may have been reused for another operation. The vulnerability was published on 2026-04-22 and carries a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation involves triggering the faulty admin queue completion path in the RDMA/efa driver, potentially leading to memory corruption, arbitrary code execution, or denial of service.
Mitigation is available through kernel patches merged into stable trees, as detailed in the following commit references: https://git.kernel.org/stable/c/0dd98aea1c0c45987fa2dd92f988b0eb1a72c125, https://git.kernel.org/stable/c/1cf95fe5dc5471efea947b4c6f8913da6bc7976e, and https://git.kernel.org/stable/c/ef3b06742c8a201d0e83edc9a33a89a4fe3009f8. These changes symmetrize the allocation and deallocation of the completion context, ensuring it is only freed after any potential use. Security practitioners should update affected Linux kernels promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24863
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is…
more
that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Linux kernel driver enables local low-priv attacker to trigger memory corruption leading to arbitrary code execution and privilege escalation (high CIA impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and patching of the use-after-free vulnerability in the Linux kernel's RDMA/efa driver as provided in stable kernel commits.
Implements kernel memory protections such as KASLR, SMEP, and KPTI that make exploitation of the use-after-free for code execution or corruption significantly harder.
Restricts system to least functionality by disabling the unnecessary RDMA/efa kernel driver on systems without compatible hardware, preventing exposure to the vulnerability.