{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-31398", "tracking": { "current_release_date": "2026-04-03T16:50:32.213666Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-31398", "initial_release_date": "2026-04-03T15:39:44.097188Z", "revision_history": [ { "date": "2026-04-03T15:39:44.097188Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| Products created (3).| Products connected (5).| References created (3)." }, { "date": "2026-04-03T15:39:46.518972Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-03T16:50:28.793506Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (3)." } ], "status": "interim", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:git/354dffd29575cdf13154e8fb787322354aa9efc4|<29f40594a28114b9a9bc87f6cf7bbee9609628f2", "product": { "name": "vers:git/354dffd29575cdf13154e8fb787322354aa9efc4|<29f40594a28114b9a9bc87f6cf7bbee9609628f2", "product_id": "CSAFPID-5992274" } }, { "category": "product_version_range", "name": "vers:git/354dffd29575cdf13154e8fb787322354aa9efc4|<99888a4f340ca8e839a0524556bd4db76d63f4e0", "product": { "name": "vers:git/354dffd29575cdf13154e8fb787322354aa9efc4|<99888a4f340ca8e839a0524556bd4db76d63f4e0", "product_id": "CSAFPID-5992272" } }, { "category": "product_version_range", "name": "vers:git/354dffd29575cdf13154e8fb787322354aa9efc4|anon_map_count) > 1 && rw);\n\nThe code path is asking for anonymous page to be mapped writable into the\npagetable. The BUG_ON() firing implies that such a writable page has been\nmapped into the pagetables of more than one process, which breaks\nanonymous memory/CoW semantics.\n\n[ 21.134473] kernel BUG at mm/page_table_check.c:118!\n[ 21.134497] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 21.135917] Modules linked in:\n[ 21.136085] CPU: 1 UID: 0 PID: 1735 Comm: dup-lazyfree Not tainted 7.0.0-rc1-00116-g018018a17770 #1028 PREEMPT\n[ 21.136858] Hardware name: linux,dummy-virt (DT)\n[ 21.137019] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 21.137308] pc : page_table_check_set+0x28c/0x2a8\n[ 21.137607] lr : page_table_check_set+0x134/0x2a8\n[ 21.137885] sp : ffff80008a3b3340\n[ 21.138124] x29: ffff80008a3b3340 x28: fffffdffc3d14400 x27: ffffd1a55e03d000\n[ 21.138623] x26: 0040000000000040 x25: ffffd1a55f7dd000 x24: 0000000000000001\n[ 21.139045] x23: 0000000000000001 x22: 0000000000000001 x21: ffffd1a55f217f30\n[ 21.139629] x20: 0000000000134521 x19: 0000000000134519 x18: 005c43e000040000\n[ 21.140027] x17: 0001400000000000 x16: 0001700000000000 x15: 000000000000ffff\n[ 21.140578] x14: 000000000000000c x13: 005c006000000000 x12: 0000000000000020\n[ 21.140828] x11: 0000000000000000 x10: 005c000000000000 x9 : ffffd1a55c079ee0\n[ 21.141077] x8 : 0000000000000001 x7 : 005c03e000040000 x6 : 000000004000ffff\n[ 21.141490] x5 : ffff00017fffce00 x4 : 0000000000000001 x3 : 0000000000000002\n[ 21.141741] x2 : 0000000000134510 x1 : 0000000000000000 x0 : ffff0000c08228c0\n[ 21.141991] Call trace:\n[ 21.142093] page_table_check_set+0x28c/0x2a8 (P)\n[ 21.142265] __page_table_check_ptes_set+0x144/0x1e8\n[ 21.142441] __set_ptes_anysz.constprop.0+0x160/0x1a8\n[ 21.142766] contpte_set_ptes+0xe8/0x140\n[ 21.142907] try_to_unmap_one+0x10c4/0x10d0\n[ 21.143177] rmap_walk_anon+0x100/0x250\n[ 21.143315] try_to_unmap+0xa0/0xc8\n[ 21.143441] shrink_folio_list+0x59c/0x18a8\n[ 21.143759] shrink_lruvec+0x664/0xbf0\n[ 21.144043] shrink_node+0x218/0x878\n[ 21.144285] __node_reclaim.constprop.0+0x98/0x338\n[ 21.144763] user_proactive_reclaim+0x2a4/0x340\n[ 21.145056] reclaim_store+0x3c/0x60\n[ 21.145216] dev_attr_store+0x20/0x40\n[ 21.145585] sysfs_kf_write+0x84/0xa8\n[ 21.145835] kernfs_fop_write_iter+0x130/0x1c8\n[ 21.145994] vfs_write+0x2b8/0x368\n[ 21.146119] ksys_write+0x70/0x110\n[ 21.146240] __arm64_sys_write+0x24/0x38\n[ 21.146380] invoke_syscall+0x50/0x120\n[ 21.146513] el0_svc_common.constprop.0+0x48/0xf8\n[ 21.146679] do_el0_svc+0x28/0x40\n[ 21.146798] el0_svc+0x34/0x110\n[ 21.146926] el0t\n---truncated---", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/31xxx/CVE-2026-31398.json" }, { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/rmap: fix incorrect pte restoration for lazyfree folios\n\nWe batch unmap anonymous lazyfree folios by folio_unmap_pte_batch. If the\nbatch has a mix of writable and non-writable bits, we may end up setting\nthe entire batch writable. Fix this by respecting writable bit during\nbatching.\n\nAlthough on a successful unmap of a lazyfree folio, the soft-dirty bit is\nlost, preserve it on pte restoration by respecting the bit during\nbatching, to make the fix consistent w.r.t both writable bit and\nsoft-dirty bit.\n\nI was able to write the below reproducer and crash the kernel. \nExplanation of reproducer (set 64K mTHP to always):\n\nFault in a 64K large folio. Split the VMA at mid-point with\nMADV_DONTFORK. fork() - parent points to the folio with 8 writable ptes\nand 8 non-writable ptes. Merge the VMAs with MADV_DOFORK so that\nfolio_unmap_pte_batch() can determine all the 16 ptes as a batch. Do\nMADV_FREE on the range to mark the folio as lazyfree. Write to the memory\nto dirty the pte, eventually rmap will dirty the folio. Then trigger\nreclaim, we will hit the pte restoration path, and the kernel will crash\nwith the trace given below.\n\nThe BUG happens at:\n\n\tBUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw);\n\nThe code path is asking for anonymous page to be mapped writable into the\npagetable. The BUG_ON() firing implies that such a writable page has been\nmapped into the pagetables of more than one process, which breaks\nanonymous memory/CoW semantics.\n\n[ 21.134473] kernel BUG at mm/page_table_check.c:118!\n[ 21.134497] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 21.135917] Modules linked in:\n[ 21.136085] CPU: 1 UID: 0 PID: 1735 Comm: dup-lazyfree Not tainted 7.0.0-rc1-00116-g018018a17770 #1028 PREEMPT\n[ 21.136858] Hardware name: linux,dummy-virt (DT)\n[ 21.137019] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 21.137308] pc : page_table_check_set+0x28c/0x2a8\n[ 21.137607] lr : page_table_check_set+0x134/0x2a8\n[ 21.137885] sp : ffff80008a3b3340\n[ 21.138124] x29: ffff80008a3b3340 x28: fffffdffc3d14400 x27: ffffd1a55e03d000\n[ 21.138623] x26: 0040000000000040 x25: ffffd1a55f7dd000 x24: 0000000000000001\n[ 21.139045] x23: 0000000000000001 x22: 0000000000000001 x21: ffffd1a55f217f30\n[ 21.139629] x20: 0000000000134521 x19: 0000000000134519 x18: 005c43e000040000\n[ 21.140027] x17: 0001400000000000 x16: 0001700000000000 x15: 000000000000ffff\n[ 21.140578] x14: 000000000000000c x13: 005c006000000000 x12: 0000000000000020\n[ 21.140828] x11: 0000000000000000 x10: 005c000000000000 x9 : ffffd1a55c079ee0\n[ 21.141077] x8 : 0000000000000001 x7 : 005c03e000040000 x6 : 000000004000ffff\n[ 21.141490] x5 : ffff00017fffce00 x4 : 0000000000000001 x3 : 0000000000000002\n[ 21.141741] x2 : 0000000000134510 x1 : 0000000000000000 x0 : ffff0000c08228c0\n[ 21.141991] Call trace:\n[ 21.142093] page_table_check_set+0x28c/0x2a8 (P)\n[ 21.142265] __page_table_check_ptes_set+0x144/0x1e8\n[ 21.142441] __set_ptes_anysz.constprop.0+0x160/0x1a8\n[ 21.142766] contpte_set_ptes+0xe8/0x140\n[ 21.142907] try_to_unmap_one+0x10c4/0x10d0\n[ 21.143177] rmap_walk_anon+0x100/0x250\n[ 21.143315] try_to_unmap+0xa0/0xc8\n[ 21.143441] shrink_folio_list+0x59c/0x18a8\n[ 21.143759] shrink_lruvec+0x664/0xbf0\n[ 21.144043] shrink_node+0x218/0x878\n[ 21.144285] __node_reclaim.constprop.0+0x98/0x338\n[ 21.144763] user_proactive_reclaim+0x2a4/0x340\n[ 21.145056] reclaim_store+0x3c/0x60\n[ 21.145216] dev_attr_store+0x20/0x40\n[ 21.145585] sysfs_kf_write+0x84/0xa8\n[ 21.145835] kernfs_fop_write_iter+0x130/0x1c8\n[ 21.145994] vfs_write+0x2b8/0x368\n[ 21.146119] ksys_write+0x70/0x110\n[ 21.146240] __arm64_sys_write+0x24/0x38\n[ 21.146380] invoke_syscall+0x50/0x120\n[ 21.146513] el0_svc_common.constprop.0+0x48/0xf8\n[ 21.146679] do_el0_svc+0x28/0x40\n[ 21.146798] el0_svc+0x34/0x110\n[ 21.146926] el0t\n---truncated---", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-31398" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent CVSS (V3) score, Is related to a product by vendor Linux", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-2925254", "CSAFPID-5992272", "CSAFPID-5992273", "CSAFPID-5992274" ], "known_not_affected": [ "CSAFPID-2925255", "CSAFPID-5905005", "CSAFPID-5905006", "CSAFPID-5905027" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/31xxx/CVE-2026-31398.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-31398" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/99888a4f340ca8e839a0524556bd4db76d63f4e0" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/a0911ccdba41b0871abbf8412857bafedec3dbe1" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/29f40594a28114b9a9bc87f6cf7bbee9609628f2" } ], "title": "CVE-2026-31398" } ] }