{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31445","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.090Z","datePublished":"2026-04-22T13:53:42.090Z","dateUpdated":"2026-05-11T22:08:50.744Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:08:50.744Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid use of half-online-committed context\n\nOne major usage of damon_call() is online DAMON parameters update.  It is\ndone by calling damon_commit_ctx() inside the damon_call() callback\nfunction.  damon_commit_ctx() can fail for two reasons: 1) invalid\nparameters and 2) internal memory allocation failures.  In case of\nfailures, the damon_ctx that attempted to be updated (commit destination)\ncan be partially updated (or, corrupted from a perspective), and therefore\nshouldn't be used anymore.  The function only ensures the damon_ctx object\ncan safely deallocated using damon_destroy_ctx().\n\nThe API callers are, however, calling damon_commit_ctx() only after\nasserting the parameters are valid, to avoid damon_commit_ctx() fails due\nto invalid input parameters.  But it can still theoretically fail if the\ninternal memory allocation fails.  In the case, DAMON may run with the\npartially updated damon_ctx.  This can result in unexpected behaviors\nincluding even NULL pointer dereference in case of damos_commit_dests()\nfailure [1].  Such allocation failure is arguably too small to fail, so\nthe real world impact would be rare.  But, given the bad consequence, this\nneeds to be fixed.\n\nAvoid such partially-committed (maybe-corrupted) damon_ctx use by saving\nthe damon_commit_ctx() failure on the damon_ctx object.  For this,\nintroduce damon_ctx->maybe_corrupted field.  damon_commit_ctx() sets it\nwhen it is failed.  kdamond_call() checks if the field is set after each\ndamon_call_control->fn() is executed.  If it is set, ignore remaining\ncallback requests and return.  All kdamond_call() callers including\nkdamond_fn() also check the maybe_corrupted field right after\nkdamond_call() invocations.  If the field is set, break the kdamond_fn()\nmain loop so that DAMON sill doesn't use the context that might be\ncorrupted.\n\n[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/damon.h","mm/damon/core.c"],"versions":[{"version":"3301f1861d34f53911a30a8f5f41b9141bd8ed39","lessThan":"9c495f9d3781cd692bd199531cabd4627155e8cd","status":"affected","versionType":"git"},{"version":"3301f1861d34f53911a30a8f5f41b9141bd8ed39","lessThan":"1b247cd0654a3a306996fa80741d79296c683a56","status":"affected","versionType":"git"},{"version":"3301f1861d34f53911a30a8f5f41b9141bd8ed39","lessThan":"26f775a054c3cda86ad465a64141894a90a9e145","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/damon.h","mm/damon/core.c"],"versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9c495f9d3781cd692bd199531cabd4627155e8cd"},{"url":"https://git.kernel.org/stable/c/1b247cd0654a3a306996fa80741d79296c683a56"},{"url":"https://git.kernel.org/stable/c/26f775a054c3cda86ad465a64141894a90a9e145"}],"title":"mm/damon/core: avoid use of half-online-committed context","x_generator":{"engine":"bippy-1.2.0"}}}}