HOMEVULNERABILITIESCVE-2026-31654
MEDIUM

CVE-2026-31654

Published: April 24, 2026· Updated: Apr 27, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

mm/vma: fix memory leak in __mmap_region()

commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare

swaps the file") handled the success path by skipping get_file() via

file_doesnt_need_get, but missed the error path.

When /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() calls

shmem_zero_setup_desc() which allocates a new shmem file to back the

mapping. If __mmap_new_vma() subsequently fails, this replacement

file is never fput()'d - the original is released by

ksys_mmap_pgoff(), but nobody releases the new one.

Add fput() for the swapped file in the error path.

Reproducible with fault injection.

FAULT_INJECTION: forcing a failure.

name failslab, interval 1, probability 0, space 0, times 1

CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full)

Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014

Call Trace:

<TASK>

dump_stack_lvl+0x164/0x1f0

should_fail_ex+0x525/0x650

should_failslab+0xdf/0x140

kmem_cache_alloc_noprof+0x78/0x630

vm_area_alloc+0x24/0x160

__mmap_region+0xf6b/0x2660

mmap_region+0x2eb/0x3a0

do_mmap+0xc79/0x1240

vm_mmap_pgoff+0x252/0x4c0

ksys_mmap_pgoff+0xf8/0x120

__x64_sys_mmap+0x12a/0x190

do_syscall_64+0xa9/0x580

entry_SYSCALL_64_after_hwframe+0x76/0x7e

</TASK>

kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

BUG: memory leak

unreferenced object 0xffff8881118aca80 (size 360):

comm "syz.7.14", pid 366, jiffies 4294913255

hex dump (first 32 bytes):

00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........

ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M.....

backtrace (crc db0f53bc):

kmem_cache_alloc_noprof+0x3ab/0x630

alloc_empty_file+0x5a/0x1e0

alloc_file_pseudo+0x135/0x220

__shmem_file_setup+0x274/0x420

shmem_zero_setup_desc+0x9c/0x170

mmap_zero_prepare+0x123/0x140

__mmap_region+0xdda/0x2660

mmap_region+0x2eb/0x3a0

do_mmap+0xc79/0x1240

vm_mmap_pgoff+0x252/0x4c0

ksys_mmap_pgoff+0xf8/0x120

__x64_sys_mmap+0x12a/0x190

do_syscall_64+0xa9/0x580

entry_SYSCALL_64_after_hwframe+0x76/0x7e

Found by syzkaller.

NVD Source

Technical Analysis

CVE-2026-31654 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (2)

Quick Facts

CVE IDCVE-2026-31654
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31654 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.