Cyber Resilience

CVE-2026-31541

High

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31541 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31541 is a use-after-free (UAF) vulnerability in the Linux kernel's tracing subsystem, specifically affecting the handling of the trace_marker copy functionality. When the "copy_trace_marker" option is enabled for a tracing instance, writes to /sys/kernel/tracing/trace_marker are duplicated into that instance's buffer, with the instance's trace_array descriptor added to an RCU-protected marker_copies linked list. Upon instance deletion, flags including copy_trace_marker are cleared, and an update_marker_trace() call attempts to remove the descriptor from the list. However, if the flag is already cleared, the function does not detect a state change, skipping the necessary synchronize_rcu() call and potentially leaving a dangling pointer that readers can access, leading to a UAF condition classified under CWE-416.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a single-user scope (S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially enabling arbitrary code execution, data corruption, or system crashes via manipulated tracing instance deletions and list traversals.

Mitigation requires applying kernel patches from the provided stable commit references, which resolve the issue by reordering operations: clearing all flags after updating the copy_trace_marker option to ensure synchronize_rcu() is invoked, and modifying update_marker_trace() to check the flag state directly rather than list emptiness. These fixes are available at https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7, https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e, and https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option…

more

is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in tracing subsystem directly enables exploitation for privilege escalation (arbitrary code execution from low-privileged context).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.16 — 6.18.20 · 6.19 — 6.19.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely patching of the Linux kernel to remediate the use-after-free vulnerability in the tracing subsystem's copy_trace_marker handling.

prevent

Implements memory protections like ASLR and DEP to mitigate exploitation of the UAF dangling pointer in RCU-protected lists.

detect

Enables vulnerability scanning to identify the specific kernel tracing UAF flaw for prioritized remediation.

References