HOMEVULNERABILITIESCVE-2026-31686
NONE

CVE-2026-31686

Published: April 27, 2026· Updated: Apr 27, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

mm/kasan: fix double free for kasan pXds

kasan_free_pxd() assumes the page table is always struct page aligned.

But that's not always the case for all architectures. E.g. In case of

powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache

named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just

directly pass the start of the pxd table which is passed as the 1st

argument.

This fixes the below double free kasan issue seen with PMEM:

radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages

==================================================================

BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20

Free of addr c0000003c38e0000 by task ndctl/2164

CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY

Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries

Call Trace:

dump_stack_lvl+0x88/0xc4 (unreliable)

print_report+0x214/0x63c

kasan_report_invalid_free+0xe4/0x110

check_slab_allocation+0x100/0x150

kmem_cache_free+0x128/0x6e0

kasan_remove_zero_shadow+0x9c4/0xa20

memunmap_pages+0x2b8/0x5c0

devm_action_release+0x54/0x70

release_nodes+0xc8/0x1a0

devres_release_all+0xe0/0x140

device_unbind_cleanup+0x30/0x120

device_release_driver_internal+0x3e4/0x450

unbind_store+0xfc/0x110

drv_attr_store+0x78/0xb0

sysfs_kf_write+0x114/0x140

kernfs_fop_write_iter+0x264/0x3f0

vfs_write+0x3bc/0x7d0

ksys_write+0xa4/0x190

system_call_exception+0x190/0x480

system_call_vectored_common+0x15c/0x2ec

---- interrupt: 3000 at 0x7fff93b3d3f4

NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000

REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)

MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208 XER: 00000000

<...>

NIP [00007fff93b3d3f4] 0x7fff93b3d3f4

LR [00007fff93b3d3f4] 0x7fff93b3d3f4

---- interrupt: 3000

The buggy address belongs to the object at c0000003c38e0000

which belongs to the cache pgtable-2^9 of size 4096

The buggy address is located 0 bytes inside of

4096-byte region [c0000003c38e0000, c0000003c38e1000)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c

head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

memcg:c0000003bfd63e01

flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff)

page_type: f5(slab)

raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000

raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01

head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000

head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01

head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004

page dumped because: kasan: bad access detected

[ 138.953636] [ T2164] Memory state around the buggy address:

[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 138.953669] [ T2164] ^

[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

[ 138.953692] [ T2164] ==================================================================

[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint

NVD Source

Technical Analysis

CVE-2026-31686 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
IBMLinux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-31686
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31686 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.