CVE-2026-31397 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and administrators of systems running affected kernel versions. This is especially relevant in environments that allow untrusted local users or multi-tenant workloads, because the CVSS vector requires local access with low privileges.

Technical summary

The vulnerable code path is mm/huge_memory: move_pages_huge_pmd(), which handles UFFDIO_MOVE for both normal transparent huge pages and huge zero pages. In the huge zero page branch, src_folio was explicitly NULL and later used in folio_mk_pmd(NULL, pgprot), which could produce a bogus PFN under SPARSEMEM_VMEMMAP or dereference NULL on other memory models. The issue also affected PMD metadata: reconstructing the destination PMD from the folio could drop pmd_special() state on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL, causing vm_normal_page_pmd() to misclassify the moved huge zero PMD as normal memory and corrupt refcounts. The resolved approach uses page_folio(src_page) to obtain the valid huge zero folio and derives the destination entry from src_pmdval after pmdp_huge_clear_flush(), preserving special PMD handling. The CVE description and NVD metadata tie the issue to CWE-476 (NULL Pointer Dereference).

Defensive priority

High. The flaw is local and requires low privileges, but it affects a kernel memory-management path with potential for crash, memory corruption, and high-impact confidentiality/integrity/availability consequences. Prioritize patching affected kernels in multi-user or multi-tenant systems and any fleet that exposes local shell or workload execution to less-trusted users.

Recommended defensive actions

• Apply the vendor or upstream kernel fixes referenced by the stable git patches.
• Verify whether your running kernel is within the affected ranges listed by NVD: 6.16 through 6.18.20, 6.19 through 6.19.10, and early 7.0 release candidates noted in the record.
• Backport the fix through your distribution’s kernel package if you cannot move immediately to an unaffected release.
• Reboot into the patched kernel after update and confirm the running kernel build matches the corrected package.
• If you operate multi-user systems, treat this as a priority local privilege-escalation hardening item and accelerate patch rollout.
• Monitor kernel advisories from your distribution for any additional backported build identifiers or rollout guidance.

Evidence notes

Source description states the bug is in mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd(), affecting huge zero page handling in UFFDIO_MOVE. It explicitly notes that passing NULL into folio_mk_pmd() can create a bogus PFN under SPARSEMEM_VMEMMAP or a NULL dereference on other memory models, and that reconstructing the PMD can drop special PMD state. NVD marks the CVE as analyzed, HIGH severity, CVSS 7.8, AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, with CWE-476. PublishedAt is 2026-04-03T16:16:38.093Z and ModifiedAt is 2026-05-20T13:06:35.743Z; the patch references are official kernel.git stable links provided in the source metadata.

Official resources