{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31555","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.115Z","datePublished":"2026-04-24T14:35:39.211Z","dateUpdated":"2026-05-11T22:11:02.897Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:11:02.897Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n  CPU0\t\t\t     CPU1\t\t       CPU2\n  futex_lock_pi(uaddr)\n  // acquires the PI futex\n  exit()\n    futex_cleanup_begin()\n      futex_state = EXITING;\n\t\t\t     futex_lock_pi(uaddr)\n\t\t\t       futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t   // observes EXITING\n\t\t\t\t   *exiting = owner;  // takes ref\n\t\t\t\t   return -EBUSY\n\t\t\t       wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct();   // drops ref\n\t\t\t       // exiting still points to owner\n\t\t\t       goto retry;\n\t\t\t       futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t   cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t   // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t       wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/futex/pi.c"],"versions":[{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"e7824ec168d2ac883a213cd1f4d6cc0816002a85","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"5e8e06bf8909e79b4acd950cf578cfc2f10bbefa","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"de7c0c04ad868f2cee6671b11c0a6d20421af1da","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"7475dfad10a05a5bfadebf5f2499bd61b19ed293","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"92e47ad03e03dbb5515bdf06444bf6b1e147310d","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"71112e62807d1925dc3ae6188b11f8cfc85aec23","status":"affected","versionType":"git"},{"version":"3ef240eaff36b8119ac9e2ea17cbf41179c930ba","lessThan":"210d36d892de5195e6766c45519dfb1e65f3eb83","status":"affected","versionType":"git"},{"version":"f2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463","status":"affected","versionType":"git"},{"version":"cf16e42709aa86aa3e37f3acc3d13d5715d90096","status":"affected","versionType":"git"},{"version":"61fa9f167caaa73d0a7c88f498eceeb12c6fa3db","status":"affected","versionType":"git"},{"version":"7874eee0130adf9bee28e8720bb5dd051089def3","status":"affected","versionType":"git"},{"version":"fc3b55ef2c840bb2746b2d8121a0788de84f7fac","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/futex/pi.c"],"versions":[{"version":"5.5","status":"affected"},{"version":"0","lessThan":"5.5","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.255"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.255"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.158"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.172"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa"},{"url":"https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85"},{"url":"https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa"},{"url":"https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da"},{"url":"https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293"},{"url":"https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d"},{"url":"https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23"},{"url":"https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83"}],"title":"futex: Clear stale exiting pointer in futex_lock_pi() retry path","x_generator":{"engine":"bippy-1.2.0"}}}}