CVE-2026-31541
Published: 24 April 2026
Summary
CVE-2026-31541 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31541 is a use-after-free (UAF) vulnerability in the Linux kernel's tracing subsystem, specifically affecting the handling of the trace_marker copy functionality. When the "copy_trace_marker" option is enabled for a tracing instance, writes to /sys/kernel/tracing/trace_marker are duplicated into that instance's buffer, with the instance's trace_array descriptor added to an RCU-protected marker_copies linked list. Upon instance deletion, flags including copy_trace_marker are cleared, and an update_marker_trace() call attempts to remove the descriptor from the list. However, if the flag is already cleared, the function does not detect a state change, skipping the necessary synchronize_rcu() call and potentially leaving a dangling pointer that readers can access, leading to a UAF condition classified under CWE-416.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a single-user scope (S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially enabling arbitrary code execution, data corruption, or system crashes via manipulated tracing instance deletions and list traversals.
Mitigation requires applying kernel patches from the provided stable commit references, which resolve the issue by reordering operations: clearing all flags after updating the copy_trace_marker option to ensure synchronize_rcu() is invoked, and modifying update_marker_trace() to check the flag state directly rather than list emptiness. These fixes are available at https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7, https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e, and https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25434
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option…
more
is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in tracing subsystem directly enables exploitation for privilege escalation (arbitrary code execution from low-privileged context).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely patching of the Linux kernel to remediate the use-after-free vulnerability in the tracing subsystem's copy_trace_marker handling.
Implements memory protections like ASLR and DEP to mitigate exploitation of the UAF dangling pointer in RCU-protected lists.
Enables vulnerability scanning to identify the specific kernel tracing UAF flaw for prioritized remediation.