CVE-2026-31397

Source
https://cve.org/CVERecord?id=CVE-2026-31397
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31397.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31397
Downstream
Published
2026-04-03T15:16:01.427Z
Modified
2026-07-15T01:49:12.831958132Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugememory: fix use of NULL folio in movepageshugepmd()

movepageshugepmd() handles UFFDIOMOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap.

In the huge zero page branch, srcfolio is NULL, so foliomkpmd(NULL, pgprot) passes NULL through foliopfn() and pagetopfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference.

Use pagefolio(srcpage) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout.

After commit d82d09e48219 ("mm/hugememory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vmnormalpagepmd() continues to treat them as special mappings.

movepageshugepmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmdspecial() on architectures with CONFIGARCHHASPTESPECIAL. As a result, vmnormalpage_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount.

Instead of reconstructing the PMD from the folio, derive the destination entry from srcpmdval after pmdphugeclearflush(), then handle the PMD metadata the same way movehugepmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31397.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e3981db444a0a18d350d9f92e3f2e8d489b54211
Fixed
f3caaee0f9e489fd2282d4ce45791dc8aed2da62
Fixed
e3133d0986dc5a231d5419167dbac65312b28b41
Fixed
fae654083bfa409bb2244f390232e2be47f05bfc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31397.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.20
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31397.json"