CVE-2026-31507
Published: 22 April 2026
Summary
CVE-2026-31507 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the double-free vulnerability by applying patches to the Linux kernel's SMC splice pipe buffer handling, preventing exploitation via tee(2).
Deploys kernel memory protections like KASLR, SMEP, and SMAP to mitigate use-after-free exploitation and reduce the impact of the slab UAF leading to kernel panic.
Vulnerability scanning detects the presence of CVE-2026-31507 in kernel versions, enabling identification and prioritization for patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free/UAF in Linux kernel SMC allows local low-priv exploitation leading to memory corruption, NULL dereference, or arbitrary kernel code execution for privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get…
more
= generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the cloned pipe_buffer share the same smc_spd_priv *. When both pipes are subsequently released, smc_rx_pipe_buf_release() is called twice against the same object: 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF] KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which then escalates to a NULL-pointer dereference and kernel panic via smc_rx_update_consumer() when it chases the freed priv->smc pointer: BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: <TASK> smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Kernel panic - not syncing: Fatal exception Beyond the memory-safety problem, duplicating an SMC splice buffer is semantically questionable: smc_rx_update_cons() would advance the consumer cursor twice for the same data, corrupting receive-window accounting. A refcount on smc_spd_priv could fix the double-free, but the cursor-accounting issue would still need to be addressed separately. The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.
Deeper analysisAI
CVE-2026-31507 is a double-free vulnerability in the Linux kernel's Shared Memory Communications (SMC) implementation, specifically in the net/smc subsystem. The issue arises in smc_rx_splice(), which allocates an smc_spd_priv structure per pipe_buffer and stores its pointer in pipe_buffer.private. When tee(2) duplicates a pipe buffer, the generic_pipe_buf_get callback only increments the page reference count without handling the shared smc_spd_priv pointer. Subsequent release of both pipes triggers smc_rx_pipe_buf_release() twice on the same object, leading to a kfree() of the already-freed memory, additional sock_put() calls, and smc_rx_update_cons() invocations. This results in a slab-use-after-free (UAF) detected by KASAN, escalating to a NULL pointer dereference in smc_rx_update_consumer() and a kernel panic.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability by using tee(2) to duplicate an SMC splice pipe buffer and then closing the pipes, triggering the double-free and UAF. The CVSS v3.1 base score of 7.8 (C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in the unprivileged user scope (S:U). Exploitation leads to a kernel panic via the NULL pointer dereference, causing a denial of service, with potential for further memory corruption given the UAF.
Patches addressing this vulnerability are available in Linux kernel stable trees via commits such as 24dd586bb4cbba1889a50abe74143817a095c1c9, 3cc76380fea749280c026f410af56a28aaac388a, 54c87a730157868543ebdfa0ecb21b4590ed23a5, 7bcb974c771c863e8588cea0012ac204443a7126, and 7e8916f46c2f48607f907fd401590093753a6bc5. The fix modifies the .get callback to return -EFAULT for tee(2) and splice_pipe_to_pipe() partial transfers, preventing buffer duplication. Users requiring duplication of SMC socket data must switch to a copy-based read path, as duplicating splice buffers is semantically invalid and corrupts receive-window accounting (CWE-415).
Details
- CWE(s)