Cyber Posture

CVE-2026-31600

High

Published: 24 April 2026

Published
24 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 10.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31600 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the Linux kernel flaw in arm64 memory management handling invalid large leaf mappings.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables vulnerability scanning to identify systems with vulnerable Linux kernel versions affected by CVE-2026-31600.

SI-16 Memory Protection partial match
prevent

Implements memory protection safeguards to mitigate risks from improper handling of invalid page table entries in the kernel linear map.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability is a remotely exploitable NULL pointer dereference in the Linux kernel that directly results in a kernel panic, enabling Endpoint Denial of Service via Application or System Exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: arm64: mm: Handle invalid large leaf mappings correctly It has been possible for a long time to mark ptes in the linear map as invalid. This is done for secretmem,…

more

kfence, realm dma memory un/share, and others, by simply clearing the PTE_VALID bit. But until commit a166563e7ec37 ("arm64: mm: support large block mapping when rodata=full") large leaf mappings were never made invalid in this way. It turns out various parts of the code base are not equipped to handle invalid large leaf mappings (in the way they are currently encoded) and I've observed a kernel panic while booting a realm guest on a BBML2_NOABORT system as a result: [ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers [ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000 [ 15.513762] Mem abort info: [ 15.527245] ESR = 0x0000000096000046 [ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits [ 15.572146] SET = 0, FnV = 0 [ 15.592141] EA = 0, S1PTW = 0 [ 15.612694] FSC = 0x06: level 2 translation fault [ 15.640644] Data abort info: [ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 [ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000 [ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704 [ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP [ 15.886394] Modules linked in: [ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT [ 15.935258] Hardware name: linux,dummy-virt (DT) [ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c [ 16.006163] lr : swiotlb_bounce+0xf4/0x158 [ 16.024145] sp : ffff80008000b8f0 [ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000 [ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000 [ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0 [ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc [ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974 [ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018 [ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000 [ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000 [ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000 [ 16.349071] Call trace: [ 16.360143] __pi_memcpy_generic+0x128/0x22c (P) [ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4 [ 16.400282] swiotlb_map+0x5c/0x228 [ 16.415984] dma_map_phys+0x244/0x2b8 [ 16.432199] dma_map_page_attrs+0x44/0x58 [ 16.449782] virtqueue_map_page_attrs+0x38/0x44 [ 16.469596] virtqueue_map_single_attrs+0xc0/0x130 [ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc [ 16.510355] try_fill_recv+0x2a4/0x584 [ 16.526989] virtnet_open+0xd4/0x238 [ 16.542775] __dev_open+0x110/0x24c [ 16.558280] __dev_change_flags+0x194/0x20c [ 16.576879] netif_change_flags+0x24/0x6c [ 16.594489] dev_change_flags+0x48/0x7c [ 16.611462] ip_auto_config+0x258/0x1114 [ 16.628727] do_one_initcall+0x80/0x1c8 [ 16.645590] kernel_init_freeable+0x208/0x2f0 [ 16.664917] kernel_init+0x24/0x1e0 [ 16.680295] ret_from_fork+0x10/0x20 [ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c) [ 16.723106] ---[ end trace 0000000000000000 ]--- [ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000 ---truncated---

Deeper analysisAI

CVE-2026-31600 is a vulnerability in the Linux kernel's arm64 memory management subsystem, specifically involving improper handling of invalid large leaf mappings in the linear map. While page table entries (PTEs) in the linear map have long been marked invalid by clearing the PTE_VALID bit for features like secretmem, kfence, and realm DMA memory operations, large leaf mappings were not previously invalidated in this manner until commit a166563e7ec37. Code paths such as SWIOTLB bounce buffering fail to handle these invalid mappings correctly, leading to a kernel paging fault and panic, as observed during boot of a realm guest on a BBML2_NOABORT system with memory encryption active.

A remote, unauthenticated attacker with no privileges or user interaction can exploit this vulnerability over the network with low complexity, achieving a denial of service via kernel panic (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H; CWE-476: NULL Pointer Dereference). The issue manifests during kernel initialization, such as in virtnet_open when mapping pages for virtqueue during ip_auto_config, triggering a data abort at level 2 translation fault in __pi_memcpy_generic within swiotlb_bounce.

Mitigation patches are available in Linux kernel stable trees, addressing the handling of invalid large leaf mappings in arm64 mm. Key commits include 15bfba1ad77fad8e45a37aae54b3c813b33fe27c, 747b6482e4e227fd351197dde6f64a97107a9e52, 8140b21d19015227a28c255404462f2d3e6edc9a, and cbea627ea634f41c79d18f0c6d20db66fa93514c, accessible via git.kernel.org/stable.

Details

CWE(s)
CWE-476

Affected Products

linux
linux kernel
6.18 — 6.18.24 · 6.19 — 6.19.14 · 7.0 — 7.0.1

CVEs Like This One

CVE-2026-31638Same product: Linux Linux Kernel
CVE-2026-22992Same product: Linux Linux Kernel
CVE-2026-31477Same product: Linux Linux Kernel
CVE-2026-31450Same product: Linux Linux Kernel
CVE-2026-22998Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2026-23198Same product: Linux Linux Kernel
CVE-2026-23148Same product: Linux Linux Kernel
CVE-2026-31657Same product: Linux Linux Kernel
CVE-2026-23440Same product: Linux Linux Kernel

References