Bug 2461526 (CVE-2026-31554)

Summary: CVE-2026-31554 kernel: futex: Require sys_futex_requeue() to have identical flags
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel. A local attacker could exploit a use-after-free vulnerability by calling the `sys_futex_requeue()` function with inconsistent flags. This could lead to a system crash, resulting in a denial of service, or potentially allow for privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-24 15:06:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

futex: Require sys_futex_requeue() to have identical flags

Nicholas reported that his LLM found it was possible to create a UaF
when sys_futex_requeue() is used with different flags. The initial
motivation for allowing different flags was the variable sized futex,
but since that hasn't been merged (yet), simply mandate the flags are
identical, as is the case for the old style sys_futex() requeue
operations.
Comment 1 Keith Grant 2026-04-24 17:18:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31554-377c@gregkh/T