CVE-2026-31589
Published: 24 April 2026
Summary
CVE-2026-31589 is a critical-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of software flaws, directly addressing this Linux kernel use-after-free vulnerability through patching.
Implements memory safeguards such as address space layout randomization and data execution prevention to mitigate exploitation of kernel use-after-free errors.
Requires vulnerability scanning to identify presence of this kernel CVE in systems, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of kernel UAF directly enables T1190 for initial access and T1068 for kernel-level privilege escalation to achieve arbitrary code execution.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio…
more
from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.
Deeper analysisAI
CVE-2026-31589 is a use-after-free vulnerability (CWE-416) in the Linux kernel's memory management subsystem, specifically within the folio_unmap_invalidate() function. The issue arises when filemap_free_folio() is called without a reference to or lock on the mapping, after the folio has been removed from it. This allows the mapping to be freed prematurely, leading to a use-after-free when accessing mapping->a_ops. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
A remote, unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or system denial of service in affected Linux kernel instances.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits: 615d9bb2ccad42f9e21d837431e401db2e471195, b667df39d98a7a24be7c2a40ff0863dac1ad2cd7, and c330e65ea59c4805d6ab6757c4ddfe8c63acef31. These patches modify folio_unmap_invalidate() to call ->free_folio() directly after loading the function pointer before dropping the mapping lock, and make filemap_free_folio() static as it is now only used internally within filemap.c.
Details
- CWE(s)