CVE-2026-31398 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernels in the listed version ranges: 6.15 through 6.18.20, 6.19 through 6.19.10, and 7.0-rc1 through 7.0-rc4. Systems that use MADV_FREE/lazyfree memory reclaim and mTHP deserve particular attention.

Technical summary

The bug is in folio_unmap_pte_batch() / lazyfree folio handling during anonymous unmap batching. If a batch contains both writable and non-writable PTEs, the restoration path can incorrectly treat the entire batch as writable. The report also notes that soft-dirty preservation was inconsistent on successful unmap, so the fix must respect both writable and soft-dirty bits during batching. In the provided reproducer, reclaim reaches try_to_unmap_one() and page_table_check_set() detects an invalid writable anonymous mapping shared across processes, resulting in a kernel BUG.

Defensive priority

High

Recommended defensive actions

• Apply a kernel build or vendor backport that includes the upstream fix referenced by the official stable patch links.
• Prioritize remediation on systems running kernels in the vulnerable ranges listed by NVD.
• If you maintain custom kernels, verify the mm/rmap lazyfree folio batching fix is present in your tree.
• After patching, regression-test workloads that use MADV_FREE, lazyfree reclaim, and mTHP for stability and unexpected kernel warnings or crashes.

Evidence notes

Source evidence is limited to the CVE description and NVD metadata. The CVE text describes incorrect PTE restoration for lazyfree folios, a crash reproducer, and the page_table_check BUG_ON trace. NVD marks the record analyzed, assigns CVSS 3.1 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and lists CWE-617. NVD also provides official stable kernel patch references. The supplied dates are CVE publishedAt 2026-04-03T16:16:38.240Z and modifiedAt 2026-05-20T13:03:52.863Z.

Official resources