Cyber Resilience

CVE-2026-31589

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31589 is a critical-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31589 is a use-after-free vulnerability (CWE-416) in the Linux kernel's memory management subsystem, specifically within the folio_unmap_invalidate() function. The issue arises when filemap_free_folio() is called without a reference to or lock on the mapping, after the folio has been removed from it. This allows the mapping to be freed prematurely, leading to a use-after-free when accessing mapping->a_ops. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

A remote, unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or system denial of service in affected Linux kernel instances.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits: 615d9bb2ccad42f9e21d837431e401db2e471195, b667df39d98a7a24be7c2a40ff0863dac1ad2cd7, and c330e65ea59c4805d6ab6757c4ddfe8c63acef31. These patches modify folio_unmap_invalidate() to call ->free_folio() directly after loading the function pointer before dropping the mapping lock, and make filemap_free_folio() static as it is now only used internally within filemap.c.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio…

more

from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Remote unauthenticated network exploitation of kernel UAF directly enables T1190 for initial access and T1068 for kernel-level privilege escalation to achieve arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23428Same product: Linux Linux Kernel
CVE-2026-31533Same product: Linux Linux Kernel
CVE-2026-31444Same product: Linux Linux Kernel
CVE-2023-53021Same product: Linux Linux Kernel
CVE-2022-49694Same product: Linux Linux Kernel
CVE-2022-49377Same product: Linux Linux Kernel
CVE-2024-57801Same product: Linux Linux Kernel
CVE-2026-23432Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2022-49390Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.14 — 6.19.14 · 7.0 — 7.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of software flaws, directly addressing this Linux kernel use-after-free vulnerability through patching.

prevent

Implements memory safeguards such as address space layout randomization and data execution prevention to mitigate exploitation of kernel use-after-free errors.

detect

Requires vulnerability scanning to identify presence of this kernel CVE in systems, enabling proactive remediation.

References