CVE-2026-31597
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
EPSS 0.02% · 3.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | *, *, 6.18.24 |
| linux | linux_kernel | 0, 0, 0 |
Exploit Intelligence
- https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d (circl)
- https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2 (circl)
- https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0 (circl)
- https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2 (circl)
- 4694.0.0.yml (github-poc)
- 4694.0.0.yml (github-poc)
- 4694.0.0.yml (github-poc)
- 4694.0.0.yml (github-poc)
- 4694.0.0.yml (github-poc)
Timeline
- Apr 24, 2026 CVE Published
- Apr 24, 2026 Security Advisory
- Apr 27, 2026 Security Advisory
- Apr 27, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d url
- https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2 url
- https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0 url
- https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-31597 advisory
- https://lists.debian.org/debian-security-announce/2026/msg00154.html advisory
- https://lists.debian.org/debian-security-announce/2026/msg00148.html advisory