ALPINE-CVE-2026-31787
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-31787
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-31787.json
- JSON Data
- https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-31787
- Upstream
- Published
- 2026-04-30T11:16:21.087Z
- Modified
- 2026-05-01T08:31:53.837014Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmdvmops defines .close (privcmdclose), but neither .maysplit nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __splitvma(). Since maysplit is NULL, the split is allowed. vmareadup() copies vmprivatedata (a pages array allocated in allocemptypages()) into the new VMA without any fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmdclose() calls: - xenunmapdomaingfnrange() - xenfreeunpopulatedpages() - kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
- References
Affected packages
Alpine:v3.21 / xen
Package
- Name
- xen
- Purl
- pkg:apk/alpine/xen?arch=source
Alpine:v3.22 / xen
Package
- Name
- xen
- Purl
- pkg:apk/alpine/xen?arch=source