DEBIAN-CVE-2026-31397

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-31397

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-31397.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-31397

Upstream

CVE-2026-31397

Published

2026-04-03T16:16:38.093Z

Modified

2026-04-04T09:48:15.443921Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: mm/hugememory: fix use of NULL folio in movepageshugepmd() movepageshugepmd() handles UFFDIOMOVE for both normal THPs and huge zero pages. For the huge zero page path, srcfolio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap. In the huge zero page branch, srcfolio is NULL, so foliomkpmd(NULL, pgprot) passes NULL through foliopfn() and pagetopfn(). With SPARSEMEMVMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference. Use pagefolio(srcpage) to obtain the valid huge zero folio from the page, which was obtained from pmdpage() and remains valid throughout. After commit d82d09e48219 ("mm/hugememory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vmnormalpagepmd() continues to treat them as special mappings. movepageshugepmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmdspecial() on architectures with CONFIGARCHHASPTESPECIAL. As a result, vmnormalpagepmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount. Instead of reconstructing the PMD from the folio, derive the destination entry from srcpmdval after pmdphugeclearflush(), then handle the PMD metadata the same way movehugepmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.

References

https://security-tracker.debian.org/tracker/CVE-2026-31397

Affected packages

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.19.10-1

Affected versions

6.*

6.12.38-1

6.12.41-1

6.12.43-1~bpo12+1

6.12.43-1

6.12.48-1

6.12.57-1~bpo12+1

6.12.57-1

6.12.63-1~bpo12+1

6.12.63-1

6.12.69-1~bpo12+1

6.12.69-1

6.12.73-1~bpo12+1

6.12.73-1

6.12.74-1

6.12.74-2~bpo12+1

6.12.74-2

6.13~rc6-1~exp1

6.13~rc7-1~exp1

6.13.2-1~exp1

6.13.3-1~exp1

6.13.4-1~exp1

6.13.5-1~exp1

6.13.6-1~exp1

6.13.7-1~exp1

6.13.8-1~exp1

6.13.9-1~exp1

6.13.10-1~exp1

6.13.11-1~exp1

6.14.3-1~exp1

6.14.5-1~exp1

6.14.6-1~exp1

6.15~rc7-1~exp1

6.15-1~exp1

6.15.1-1~exp1

6.15.2-1~exp1

6.15.3-1~exp1

6.15.4-1~exp1

6.15.5-1~exp1

6.15.6-1~exp1

6.16~rc7-1~exp1

6.16-1~exp1

6.16.1-1~exp1

6.16.3-1~bpo13+1

6.16.3-1

6.16.5-1

6.16.6-1

6.16.7-1

6.16.8-1

6.16.9-1

6.16.10-1

6.16.11-1

6.16.12-1~bpo13+1

6.16.12-1

6.16.12-2

6.17.2-1~exp1

6.17.5-1~exp1

6.17.6-1

6.17.7-1

6.17.7-2

6.17.8-1~bpo13+1

6.17.8-1

6.17.9-1

6.17.10-1

6.17.11-1

6.17.12-1

6.17.13-1~bpo13+1

6.17.13-1

6.18~rc4-1~exp1

6.18~rc4-1~exp2

6.18~rc5-1~exp1

6.18~rc6-1~exp1

6.18~rc7-1~exp1

6.18.1-1~exp1

6.18.2-1~exp1

6.18.3-1

6.18.5-1~bpo13+1

6.18.5-1

6.18.8-1

6.18.9-1~bpo13+1

6.18.9-1

6.18.10-1

6.18.12-1~bpo13+1

6.18.12-1

6.18.13-1

6.18.14-1

6.18.15-1~bpo13+1

6.18.15-1

6.19~rc4-1~exp1

6.19~rc5-1~exp1

6.19~rc6-1~exp1

6.19~rc7-1~exp1

6.19~rc8-1~exp1

6.19-1~exp1

6.19.2-1~exp1

6.19.3-1~exp1

6.19.4-1~exp1

6.19.5-1~exp1

6.19.6-1

6.19.6-2~bpo13+1

6.19.6-2

6.19.8-1~bpo13+1

6.19.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-31397.json"