5.5

CVE-2026-31555

EPSS 0.01%
Veröffentlicht 24.04.2026 14:35:39
Zuletzt bearbeitet 27.04.2026 20:14:27
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

futex: Clear stale exiting pointer in futex_lock_pi() retry path

In the Linux kernel, the following vulnerability has been resolved:

futex: Clear stale exiting pointer in futex_lock_pi() retry path

Fuzzying/stressing futexes triggered:

    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524

When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
and stores a refcounted task pointer in 'exiting'.

After wait_for_owner_exiting() consumes that reference, the local pointer
is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
different error, the bogus pointer is passed to wait_for_owner_exiting().

  CPU0			     CPU1		       CPU2
  futex_lock_pi(uaddr)
  // acquires the PI futex
  exit()
    futex_cleanup_begin()
      futex_state = EXITING;
			     futex_lock_pi(uaddr)
			       futex_lock_pi_atomic()
				 attach_to_pi_owner()
				   // observes EXITING
				   *exiting = owner;  // takes ref
				   return -EBUSY
			       wait_for_owner_exiting(-EBUSY, owner)
				 put_task_struct();   // drops ref
			       // exiting still points to owner
			       goto retry;
			       futex_lock_pi_atomic()
				 lock_pi_update_atomic()
				   cmpxchg(uaddr)
					*uaddr ^= WAITERS // whatever
				   // value changed
				 return -EAGAIN;
			       wait_for_owner_exiting(-EAGAIN, exiting) // stale
				 WARN_ON_ONCE(exiting)

Fix this by resetting upon retry, essentially aligning it with requeue_pi.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 11

NVD 20 VulnDex Vulnerability Enrichment 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.4.255 < 4.5

Linux ≫ Linux Kernel Version >= 4.9.255 < 4.10

Linux ≫ Linux Kernel Version >= 4.14.158 < 4.15

Linux ≫ Linux Kernel Version >= 4.19.172 < 4.20

Linux ≫ Linux Kernel Version >= 5.4.1 < 5.5

Linux ≫ Linux Kernel Version >= 5.5.1 < 5.10.253

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.203

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.168

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.131

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11

Linux ≫ Linux Kernel Version5.5 Update-

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

Linux ≫ Linux Kernel Version7.0 Updaterc6

Linux ≫ Linux Kernel Version7.0 Updaterc7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.023

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa

Patch

https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85

Patch

https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa

Patch

https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da

Patch

https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293

Patch

https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d

Patch

https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23

Patch

https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31555

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31555

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31555

EUVD