CVE-2026-31597
Published: 24 April 2026
Summary
CVE-2026-31597 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-31597 is a use-after-free vulnerability in the Linux kernel's ocfs2 filesystem, specifically within the ocfs2_fault() function. The flaw occurs when filemap_fault() drops the mmap_lock before returning VM_FAULT_RETRY, enabling a concurrent munmap() to invoke remove_vma() and free the vm_area_struct via RCU. This leaves the saved vma pointer in ocfs2_fault() as a dangling reference, which is subsequently dereferenced in trace_ocfs2_fault(), classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation leads to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes through the use-after-free condition in the memory management path involving OCFS2 file faults.
The referenced kernel stable commits provide the mitigation by saving ip_blkno as a plain integer before calling filemap_fault() and removing the vma from the trace event, ensuring ip_blkno remains valid even if the vma or inode is freed afterward. Affected systems should apply patches from these commits, including https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d, https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006, https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0, https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921, and https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25490
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock…
more
may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in ocfs2_fault() enables arbitrary code execution or memory corruption from low-privileged context, directly mapping to Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the use-after-free flaw in ocfs2_fault via kernel patching as referenced in the stable commits.
Implements memory protection mechanisms that mitigate exploitation of the dangling vma pointer dereference in kernel memory management.
Restricts system to least functionality by disabling unnecessary OCFS2 filesystem module, avoiding exposure to the fault handling vulnerability.