HOMEVULNERABILITIESCVE-2026-31397
NONE

CVE-2026-31397

Published: April 3, 2026· Updated: Apr 7, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge

zero pages. For the huge zero page path, src_folio is explicitly set to

NULL, and is used as a sentinel to skip folio operations like lock and

rmap.

In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL,

pgprot) passes NULL through folio_pfn() and page_to_pfn(). With

SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD

pointing to non-existent physical memory. On other memory models it is a

NULL dereference.

Use page_folio(src_page) to obtain the valid huge zero folio from the

page, which was obtained from pmd_page() and remains valid throughout.

After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge

zero folio special"), moved huge zero PMDs must remain special so

vm_normal_page_pmd() continues to treat them as special mappings.

move_pages_huge_pmd() currently reconstructs the destination PMD in the

huge zero page branch, which drops PMD state such as pmd_special() on

architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result,

vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page

and corrupt its refcount.

Instead of reconstructing the PMD from the folio, derive the destination

entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD

metadata the same way move_huge_pmd() does for moved entries by marking it

soft-dirty and clearing uffd-wp.

NVD Source

Technical Analysis

CVE-2026-31397 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-31397
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31397 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.