Cyber Resilience

CVE-2026-31652

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31652 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31652 is a memory leak vulnerability in the Linux kernel's DAMON statistics module (mm/damon/stat). The issue occurs in the damon_stat_start() function, which always allocates a damon_ctx object but fails to deallocate it if the subsequent damon_call() fails. If a user re-enables the feature by writing 'Y' to the "enabled" sysfs attribute after such a failure, the previously allocated damon_ctx object leaks. A naive fix by immediate deallocation risks a use-after-free, as the associated kdamond thread may still access the object.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. By triggering damon_call() failures and repeatedly enabling the feature, the attacker can cause repeated leaks of damon_ctx objects. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, classified under CWE-416 (Use After Free), indicating potential for escalation beyond simple leakage.

Kernel patch commits provide mitigation by modifying damon_stat_start() to avoid deallocation on damon_call() failure, instead returning without freeing the object. On subsequent invocations, the function checks if the kdamond has fully terminated before deallocating; if not, it returns -EAGAIN to allow safe retry. Affected systems should apply stable kernel updates from the referenced commits: https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620, https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb, and https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400. The vulnerability was discovered by sashiko and published on 2026-04-24.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the…

more

damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel memory leak/UAF in DAMON sysfs handler directly enables local low-priv exploitation for privilege escalation (high C/I/A impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.17, 7.0 · 6.17.1 — 6.18.23 · 6.19 — 6.19.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific kernel flaw in damon_stat_start() by applying patches that properly handle damon_ctx deallocation on damon_call() failure.

prevent

Restricts enabling of the non-essential DAMON statistics module via sysfs, preventing local low-privilege attackers from triggering the memory leak.

prevent

Deploys kernel memory protections like ASLR and DEP to minimize exploitation impacts of the damon_ctx leak and associated use-after-free risks.

References