Cyber Resilience

CVE-2026-31735

High

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0012 2.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31735 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31735 is a vulnerability in the Linux kernel's IOMMU page table (iommupt) handling. The issue arises during unmap operations, where the unmap function can unmap more than the requested range if the ending point falls in the middle of a large or contiguous IOPTE. However, the subsequent gather operation only flushes the originally requested range, not the extended unmapped area, resulting in a short invalidation under this condition. This flaw was identified through new invalidation/gather tests developed in preparation for ARMv8 support.

A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a changed scope (S:C), earning a CVSS v3.1 base score of 8.8. The attack requires local access and low privileges, potentially allowing escalation or disruption in IOMMU-mediated environments.

Mitigation involves applying the relevant Linux kernel patches, available in the stable branches via commits 50ecd96a28f712f8b682c0441f4cb9b086d28816 and ee6e69d032550687a3422504bfca3f834c7b5061 on git.kernel.org. These fixes ensure the gather flushes the full unmapped range, including any extra areas affected by large IOPTEs.

Notably, the vulnerability is described as likely not triggerable in practice, as no known code relies on unmapping large entries, and it was uncovered proactively through testing rather than real-world exploitation. The root cause was deduced by Claude during development.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iommupt: Fix short gather if the unmap goes into a large mapping unmap has the odd behavior that it can unmap more than requested if the ending point lands within…

more

the middle of a large or contiguous IOPTE. In this case the gather should flush everything unmapped which can be larger than what was requested to be unmapped. The gather was only flushing the range requested to be unmapped, not extending to the extra range, resulting in a short invalidation if the caller hits this special condition. This was found by the new invalidation/gather test I am adding in preparation for ARMv8. Claude deduced the root cause. As far as I remember nothing relies on unmapping a large entry, so this is likely not a triggerable bug.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local Linux kernel IOMMU unmap/invalidation flaw with high CIA impact enables exploitation for privilege escalation (T1068) by low-privileged attacker in IOMMU-mediated contexts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31554Same product: Linux Linux Kernel
CVE-2026-31504Same product: Linux Linux Kernel
CVE-2026-31474Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2024-57792Same product: Linux Linux Kernel
CVE-2026-23326Same product: Linux Linux Kernel
CVE-2026-23280Same product: Linux Linux Kernel
CVE-2025-71123Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2026-23288Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.19 — 6.19.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-31735 by requiring timely remediation through application of Linux kernel patches that fix the IOMMU unmap gather flushing to cover the full unmapped range.

detect

Vulnerability scanning and monitoring identifies unpatched Linux kernels affected by the IOMMU page table unmap defect in CVE-2026-31735.

preventdetect

Performs integrity verification of kernel software and firmware to ensure patches for the IOMMU short gather invalidation issue in CVE-2026-31735 are applied without unauthorized modifications.

References