CVE-2026-31541

EPSS 0.01%
Veröffentlicht 24.04.2026 14:33:10
Zuletzt bearbeitet 28.04.2026 18:50:29
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

tracing: Fix trace_marker copy link list updates

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copy_trace_marker" option is enabled for an instance, anything
written into /sys/kernel/tracing/trace_marker is also copied into that
instances buffer. When the option is set, that instance's trace_array
descriptor is added to the marker_copies link list. This list is protected
by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared.
This also clears the copy_trace_marker flag and removes the trace_array
descriptor from the list.

The issue is after the flags are called, a direct call to
update_marker_trace() is performed to clear the flag. This function
returns true if the state of the flag changed and false otherwise. If it
returns true here, synchronize_rcu() is called to make sure all readers
see that its removed from the list.

But since the flag was already cleared, the state does not change and the
synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copy_trace_marker
option which then makes sure the synchronization is performed.

Also use the flag for checking the state in update_marker_trace() instead
of looking at if the list is empty.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 6 VulnDex Vulnerability Enrichment 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.16 < 6.18.20

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.10

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.022

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e

Patch

https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1

Patch

https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31541

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31541

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31541

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31541