CVE-2026-31654

Source
https://cve.org/CVERecord?id=CVE-2026-31654
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31654.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31654
Downstream
Published
2026-04-24T14:45:06.387Z
Modified
2026-07-08T07:32:31.402434887Z
Summary
mm/vma: fix memory leak in __mmap_region()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/vma: fix memory leak in _mmapregion()

commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmapprepare swaps the file") handled the success path by skipping getfile() via filedoesntneed_get, but missed the error path.

When /dev/zero is mmap'd with MAPSHARED, mmapzeroprepare() calls shmemzerosetupdesc() which allocates a new shmem file to back the mapping. If __mmapnewvma() subsequently fails, this replacement file is never fput()'d - the original is released by ksysmmappgoff(), but nobody releases the new one.

Add fput() for the swapped file in the error path.

Reproducible with fault injection.

FAULTINJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, archcaps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x164/0x1f0 shouldfailex+0x525/0x650 shouldfailslab+0xdf/0x140 kmemcacheallocnoprof+0x78/0x630 vmareaalloc+0x24/0x160 __mmapregion+0xf6b/0x2660 mmapregion+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vmmmappgoff+0x252/0x4c0 ksysmmappgoff+0xf8/0x120 __x64sysmmap+0x12a/0x190 dosyscall64+0xa9/0x580 entrySYSCALL64afterhwframe+0x76/0x7e </TASK>

kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881118aca80 (size 360): comm "syz.7.14", pid 366, jiffies 4294913255 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M..... backtrace (crc db0f53bc): kmemcacheallocnoprof+0x3ab/0x630 allocemptyfile+0x5a/0x1e0 allocfile_pseudo+0x135/0x220 __shmemfilesetup+0x274/0x420 shmemzerosetupdesc+0x9c/0x170 mmapzero_prepare+0x123/0x140 __mmapregion+0xdda/0x2660 mmapregion+0x2eb/0x3a0 dommap+0xc79/0x1240 vmmmappgoff+0x252/0x4c0 ksysmmap_pgoff+0xf8/0x120 __x64sysmmap+0x12a/0x190 dosyscall64+0xa9/0x580 entrySYSCALL64afterhwframe+0x76/0x7e

Found by syzkaller.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31654.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
605f6586ecf78395f0185ab24c368fb46a06e434
Fixed
61fc8eaf2ab214b32c7bce52597c80cf0ca41ada
Fixed
894f99eb535edc4514f756818f3c4f688ba53a59

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31654.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31654.json"