{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31541","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.114Z","datePublished":"2026-04-24T14:33:10.505Z","dateUpdated":"2026-05-11T22:10:46.355Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:10:46.355Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix trace_marker copy link list updates\n\nWhen the \"copy_trace_marker\" option is enabled for an instance, anything\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\ninstances buffer. When the option is set, that instance's trace_array\ndescriptor is added to the marker_copies link list. This list is protected\nby RCU, as all iterations uses an RCU protected list traversal.\n\nWhen the instance is deleted, all the flags that were enabled are cleared.\nThis also clears the copy_trace_marker flag and removes the trace_array\ndescriptor from the list.\n\nThe issue is after the flags are called, a direct call to\nupdate_marker_trace() is performed to clear the flag. This function\nreturns true if the state of the flag changed and false otherwise. If it\nreturns true here, synchronize_rcu() is called to make sure all readers\nsee that its removed from the list.\n\nBut since the flag was already cleared, the state does not change and the\nsynchronization is never called, leaving a possible UAF bug.\n\nMove the clearing of all flags below the updating of the copy_trace_marker\noption which then makes sure the synchronization is performed.\n\nAlso use the flag for checking the state in update_marker_trace() instead\nof looking at if the list is empty."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace.c"],"versions":[{"version":"7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86","lessThan":"75668e58244e63ec3785098a02e1cdcff14a6c2e","status":"affected","versionType":"git"},{"version":"7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86","lessThan":"cc267e4b4302247dc67ef937a9ac587a696a43c1","status":"affected","versionType":"git"},{"version":"7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86","lessThan":"07183aac4a6828e474f00b37c9d795d0d99e18a7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace.c"],"versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","status":"unaffected","versionType":"semver"},{"version":"6.18.20","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.10","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.19.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e"},{"url":"https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1"},{"url":"https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7"}],"title":"tracing: Fix trace_marker copy link list updates","x_generator":{"engine":"bippy-1.2.0"}}}}