Cyber Resilience

CVE-2026-31597

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31597 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-31597 is a use-after-free vulnerability in the Linux kernel's ocfs2 filesystem, specifically within the ocfs2_fault() function. The flaw occurs when filemap_fault() drops the mmap_lock before returning VM_FAULT_RETRY, enabling a concurrent munmap() to invoke remove_vma() and free the vm_area_struct via RCU. This leaves the saved vma pointer in ocfs2_fault() as a dangling reference, which is subsequently dereferenced in trace_ocfs2_fault(), classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation leads to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes through the use-after-free condition in the memory management path involving OCFS2 file faults.

The referenced kernel stable commits provide the mitigation by saving ip_blkno as a plain integer before calling filemap_fault() and removing the vma from the trace event, ensuring ip_blkno remains valid even if the vma or inode is freed afterward. Affected systems should apply patches from these commits, including https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d, https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006, https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0, https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921, and https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock…

more

may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in ocfs2_fault() enables arbitrary code execution or memory corruption from low-privileged context, directly mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.39 — 6.6.136 · 6.7 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the use-after-free flaw in ocfs2_fault via kernel patching as referenced in the stable commits.

prevent

Implements memory protection mechanisms that mitigate exploitation of the dangling vma pointer dereference in kernel memory management.

prevent

Restricts system to least functionality by disabling unnecessary OCFS2 filesystem module, avoiding exposure to the fault handling vulnerability.

References