DEBIAN-CVE-2026-31787
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | linux | 6.10.4-1, 6.12.32-1, 6.12.21-1 |
| Debian:14 | linux | 6.15.6-1, 6.12.41-1, 0 |
| Debian:11 | linux-6.1 | 0, 6.1.106-3, 6.1.106-3 |
| Debian:13 | linux | 0, 6.12.74-1, 6.12.57-1 |
| Debian:11 | linux | 6.1.37-1, 6.1.38-1, 6.1.38-2 |
Timeline
- Apr 28, 2026 CVE Published
- May 9, 2026 CVE Updated