{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31597","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.121Z","datePublished":"2026-04-24T14:42:22.655Z","dateUpdated":"2026-05-11T22:11:52.105Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:11:52.105Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY\n\nfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,\nas documented in mm/filemap.c:\n\n  \"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock\n  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap().\"\n\nWhen this happens, a concurrent munmap() can call remove_vma() and free\nthe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then\nbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() call\ndereferences it -- a use-after-free.\n\nFix this by saving ip_blkno as a plain integer before calling\nfilemap_fault(), and removing vma from the trace event. Since\nip_blkno is copied by value before the lock can be dropped, it\nremains valid regardless of what happens to the vma or inode\nafterward."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ocfs2/mmap.c","fs/ocfs2/ocfs2_trace.h"],"versions":[{"version":"614a9e849ca6ea24843795251cb30af525d5336b","lessThan":"6f072daefcab1d84ce37c073645615f63be91006","status":"affected","versionType":"git"},{"version":"614a9e849ca6ea24843795251cb30af525d5336b","lessThan":"4cf2768a0291a0cdd0dae801ea0eafa3878a349d","status":"affected","versionType":"git"},{"version":"614a9e849ca6ea24843795251cb30af525d5336b","lessThan":"d45ff441b416d4aa1af72b1db23d959601c04da2","status":"affected","versionType":"git"},{"version":"614a9e849ca6ea24843795251cb30af525d5336b","lessThan":"76a602fdbb78dd05b2da06f74a988cebc97e82d0","status":"affected","versionType":"git"},{"version":"614a9e849ca6ea24843795251cb30af525d5336b","lessThan":"925bf22c1b823e231b1baea761fe8a1512e442f2","status":"affected","versionType":"git"},{"version":"614a9e849ca6ea24843795251cb30af525d5336b","lessThan":"7de554cabf160e331e4442e2a9ad874ca9875921","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ocfs2/mmap.c","fs/ocfs2/ocfs2_trace.h"],"versions":[{"version":"2.6.39","status":"affected"},{"version":"0","lessThan":"2.6.39","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"7.1-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006"},{"url":"https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d"},{"url":"https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2"},{"url":"https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0"},{"url":"https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2"},{"url":"https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921"}],"title":"ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY","x_generator":{"engine":"bippy-1.2.0"}}}}