PatchSiren cyber security CVE debrief
CVE-2026-31456 Linux CVE debrief
A race condition vulnerability was discovered in the Linux kernel, specifically in the `walk_pud_range()` function. This vulnerability occurs when a PUD entry is being split concurrently with a refault operation on the PUD leaf entry. This can lead to a kernel BUG and potentially allow an attacker to crash the system. The vulnerability has a CVSS score of 4.7 and is classified as MEDIUM severity.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-22
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-04-22
- Advisory updated
- 2026-06-05
Who should care
Users of Linux kernel versions 6.12, 6.19, and 7.0 (up to rc5) should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a race condition between concurrent split and refault operations in the `walk_pud_range()` function. This can lead to a kernel BUG and potentially allow an attacker to crash the system. The fix involves validating the PUD entry in `walk_pmd_range()` using a stable snapshot (`pudp_get()`).
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patches provided by the Linux kernel maintainers [ref-4], [ref-5], [ref-6].
- Update to a Linux kernel version that includes the fix, such as 6.18.21, 6.19.11, or later.
Evidence notes
The vulnerability was discovered and reported by an unknown researcher. The fix was provided by the Linux kernel maintainers.
Official resources
-
CVE-2026-31456 CVE record
CVE.org
-
CVE-2026-31456 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
CVE-2026-31456 was published on 2026-04-22T14:16:40.203Z and modified on 2026-06-05T17:40:38.510Z.