CVE-2026-31541

Source
https://cve.org/CVERecord?id=CVE-2026-31541
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31541.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31541
Downstream
Published
2026-04-24T14:33:10.505Z
Modified
2026-07-15T01:49:06.389030849Z
Summary
tracing: Fix trace_marker copy link list updates
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copytracemarker" option is enabled for an instance, anything written into /sys/kernel/tracing/tracemarker is also copied into that instances buffer. When the option is set, that instance's tracearray descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared. This also clears the copytracemarker flag and removes the trace_array descriptor from the list.

The issue is after the flags are called, a direct call to updatemarkertrace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list.

But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copytracemarker option which then makes sure the synchronization is performed.

Also use the flag for checking the state in updatemarkertrace() instead of looking at if the list is empty.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31541.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86
Fixed
75668e58244e63ec3785098a02e1cdcff14a6c2e
Fixed
cc267e4b4302247dc67ef937a9ac587a696a43c1
Fixed
07183aac4a6828e474f00b37c9d795d0d99e18a7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31541.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.20
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31541.json"