CVE-2026-31554
Published: 24 April 2026
Summary
CVE-2026-31554 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31554 is a use-after-free vulnerability (CWE-416) in the Linux kernel's futex subsystem. It arises in the sys_futex_requeue() function, which previously permitted operations with different flags between the source and destination futexes, enabling a use-after-free condition. This issue was resolved by mandating identical flags for such operations, consistent with the legacy sys_futex() requeue behavior, as the original motivation—support for variable-sized futexes—has not been merged.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it with low complexity and no user interaction required, potentially achieving high impacts on confidentiality, integrity, and availability through kernel memory corruption via the use-after-free.
Mitigation patches are available in Linux kernel stable trees via the referenced commits, including 027145ace09fad4c7cbcd6c61fe9b429c63eb0e5, 18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a, 19f94b39058681dec64a10ebeb6f23fe7fc3f77a, and e2f78c7ec1655fedd945366151ba54fcb9580508. These enforce identical flags in sys_futex_requeue(), eliminating the flaw.
The vulnerability was reported by Nicholas, who noted that his LLM identified the use-after-free possibility in sys_futex_requeue() with differing flags.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25447
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: futex: Require sys_futex_requeue() to have identical flags Nicholas reported that his LLM found it was possible to create a UaF when sys_futex_requeue() is used with different flags. The initial motivation…
more
for allowing different flags was the variable sized futex, but since that hasn't been merged (yet), simply mandate the flags are identical, as is the case for the old style sys_futex() requeue operations.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in futex enables direct exploitation for privilege escalation (memory corruption to root from low-priv user).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses the CVE by applying kernel patches that enforce identical flags in sys_futex_requeue, eliminating the use-after-free vulnerability.
Memory protection mechanisms such as KASLR, SMEP, and KSMAP protect against kernel use-after-free exploits by enforcing memory separation and preventing unauthorized code execution.
Information input validation for kernel system calls like sys_futex_requeue ensures flag parameters are checked, preventing invalid operations that trigger the use-after-free condition.