Security Vulnerability Report
中文
CVE-2026-31445 CVSS 5.5 MEDIUM

CVE-2026-31445

Published: 2026-04-22 14:16:38
Last Modified: 2026-05-07 19:23:11
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid use of half-online-committed context One major usage of damon_call() is online DAMON parameters update. It is done by calling damon_commit_ctx() inside the damon_call() callback function. damon_commit_ctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damon_ctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damon_ctx object can safely deallocated using damon_destroy_ctx(). The API callers are, however, calling damon_commit_ctx() only after asserting the parameters are valid, to avoid damon_commit_ctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damon_ctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damos_commit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed. Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving the damon_commit_ctx() failure on the damon_ctx object. For this, introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it when it is failed. kdamond_call() checks if the field is set after each damon_call_control->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamond_call() callers including kdamond_fn() also check the maybe_corrupted field right after kdamond_call() invocations. If the field is set, break the kdamond_fn() main loop so that DAMON sill doesn't use the context that might be corrupted. [[email protected]: let kdamond_call() with cancel regardless of maybe_corrupted]

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复提交前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual PoC for CVE-2026-31445 * Triggering memory corruption in DAMON context update. */ #include <linux/module.h> #include <linux/damon.h> void trigger_damon_corruption(void) { struct damon_ctx *ctx; // Setup context ctx = damon_new_ctx(); if (!ctx) return; // Simulate update under memory pressure // If kmalloc fails inside damon_commit_ctx, // ctx becomes partially updated (corrupted). if (damon_commit_ctx(ctx, NULL) < 0) { // Context is now corrupted. // Subsequent use by kdamond_fn will trigger NULL pointer dereference. printk(KERN_INFO "CVE-2026-31445: Context corrupted via allocation failure"); } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31445", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:38.177", "lastModified": "2026-05-07T19:23:11.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid use of half-online-committed context\n\nOne major usage of damon_call() is online DAMON parameters update. It is\ndone by calling damon_commit_ctx() inside the damon_call() callback\nfunction. damon_commit_ctx() can fail for two reasons: 1) invalid\nparameters and 2) internal memory allocation failures. In case of\nfailures, the damon_ctx that attempted to be updated (commit destination)\ncan be partially updated (or, corrupted from a perspective), and therefore\nshouldn't be used anymore. The function only ensures the damon_ctx object\ncan safely deallocated using damon_destroy_ctx().\n\nThe API callers are, however, calling damon_commit_ctx() only after\nasserting the parameters are valid, to avoid damon_commit_ctx() fails due\nto invalid input parameters. But it can still theoretically fail if the\ninternal memory allocation fails. In the case, DAMON may run with the\npartially updated damon_ctx. This can result in unexpected behaviors\nincluding even NULL pointer dereference in case of damos_commit_dests()\nfailure [1]. Such allocation failure is arguably too small to fail, so\nthe real world impact would be rare. But, given the bad consequence, this\nneeds to be fixed.\n\nAvoid such partially-committed (maybe-corrupted) damon_ctx use by saving\nthe damon_commit_ctx() failure on the damon_ctx object. For this,\nintroduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it\nwhen it is failed. kdamond_call() checks if the field is set after each\ndamon_call_control->fn() is executed. If it is set, ignore remaining\ncallback requests and return. All kdamond_call() callers including\nkdamond_fn() also check the maybe_corrupted field right after\nkdamond_call() invocations. If the field is set, break the kdamond_fn()\nmain loop so that DAMON sill doesn't use the context that might be\ncorrupted.\n\n[[email protected]: let kdamond_call() with cancel regardless of maybe_corrupted]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.21", "matchCriteriaId": "54C46FD6-33A9-4762-8D41-DB70D9475EFF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1b247cd0654a3a306996fa80741d79296c683a56", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/26f775a054c3cda86ad465a64141894a90a9e145", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9c495f9d3781cd692bd199531cabd4627155e8cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.