CVE-2026-31652
Published: 24 April 2026
Summary
CVE-2026-31652 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31652 is a memory leak vulnerability in the Linux kernel's DAMON statistics module (mm/damon/stat). The issue occurs in the damon_stat_start() function, which always allocates a damon_ctx object but fails to deallocate it if the subsequent damon_call() fails. If a user re-enables the feature by writing 'Y' to the "enabled" sysfs attribute after such a failure, the previously allocated damon_ctx object leaks. A naive fix by immediate deallocation risks a use-after-free, as the associated kdamond thread may still access the object.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. By triggering damon_call() failures and repeatedly enabling the feature, the attacker can cause repeated leaks of damon_ctx objects. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, classified under CWE-416 (Use After Free), indicating potential for escalation beyond simple leakage.
Kernel patch commits provide mitigation by modifying damon_stat_start() to avoid deallocation on damon_call() failure, instead returning without freeing the object. On subsequent invocations, the function checks if the kdamond has fully terminated before deallocating; if not, it returns -EAGAIN to allow safe retry. Affected systems should apply stable kernel updates from the referenced commits: https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620, https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb, and https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400. The vulnerability was discovered by sashiko and published on 2026-04-24.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25545
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the…
more
damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory leak/UAF in DAMON sysfs handler directly enables local low-priv exploitation for privilege escalation (high C/I/A impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific kernel flaw in damon_stat_start() by applying patches that properly handle damon_ctx deallocation on damon_call() failure.
Restricts enabling of the non-essential DAMON statistics module via sysfs, preventing local low-privilege attackers from triggering the memory leak.
Deploys kernel memory protections like ASLR and DEP to minimize exploitation impacts of the damon_ctx leak and associated use-after-free risks.