{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31652","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.128Z","datePublished":"2026-04-24T14:45:04.930Z","dateUpdated":"2026-05-11T22:12:57.491Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:12:57.491Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/stat: deallocate damon_call() failure leaking damon_ctx\n\ndamon_stat_start() always allocates the module's damon_ctx object\n(damon_stat_context).  Meanwhile, if damon_call() in the function fails,\nthe damon_ctx object is not deallocated.  Hence, if the damon_call() is\nfailed, and the user writes Y to “enabled” again, the previously\nallocated damon_ctx object is leaked.\n\nThis cannot simply be fixed by deallocating the damon_ctx object when\ndamon_call() fails.  That's because damon_call() failure doesn't guarantee\nthe kdamond main function, which accesses the damon_ctx object, is\ncompletely finished.  In other words, if damon_stat_start() deallocates\nthe damon_ctx object after damon_call() failure, the not-yet-terminated\nkdamond could access the freed memory (use-after-free).\n\nFix the leak while avoiding the use-after-free by keeping returning\ndamon_stat_start() without deallocating the damon_ctx object after\ndamon_call() failure, but deallocating it when the function is invoked\nagain and the kdamond is completely terminated.  If the kdamond is not yet\nterminated, simply return -EAGAIN, as the kdamond will soon be terminated.\n\nThe issue was discovered [1] by sashiko."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/damon/stat.c"],"versions":[{"version":"405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8","lessThan":"447f8870b484f6596d7a7130e72bd0a3f1e037bb","status":"affected","versionType":"git"},{"version":"405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8","lessThan":"16c92e9bf55fa049ddb5e894dc0623dacd46a620","status":"affected","versionType":"git"},{"version":"405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8","lessThan":"4c04c6b47c361612b1d70cec8f7a60b1482d1400","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/damon/stat.c"],"versions":[{"version":"6.17","status":"affected"},{"version":"0","lessThan":"6.17","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb"},{"url":"https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620"},{"url":"https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400"}],"title":"mm/damon/stat: deallocate damon_call() failure leaking damon_ctx","x_generator":{"engine":"bippy-1.2.0"}}}}