Bug 2464092 (CVE-2026-31787) - CVE-2026-31787 kernel: xen/privcmd: fix double free via VMA splitting
Summary: CVE-2026-31787 kernel: xen/privcmd: fix double free via VMA splitting
Keywords:
Status: NEW
Alias: CVE-2026-31787
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-30 12:01 UTC by OSIDB Bzimport
Modified: 2026-06-25 12:02 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:26427 0 None None None 2026-06-16 18:55:31 UTC
Red Hat Product Errata RHSA-2026:26428 0 None None None 2026-06-16 18:29:37 UTC
Red Hat Product Errata RHSA-2026:27288 0 None None None 2026-06-19 23:21:54 UTC
Red Hat Product Errata RHSA-2026:27789 0 None None None 2026-06-22 08:28:42 UTC

Description OSIDB Bzimport 2026-04-30 12:01:27 UTC
In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: fix double free via VMA splitting

privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.

Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
    - xen_unmap_domain_gfn_range()
    - xen_free_unpopulated_pages()
    - kvfree(pages)

The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.

Fix this issue by adding a .may_split callback denying the VMA split.

This is XSA-487 / CVE-2026-31787

Comment 3 errata-xmlrpc 2026-06-16 18:29:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:26428 https://access.redhat.com/errata/RHSA-2026:26428

Comment 4 errata-xmlrpc 2026-06-16 18:55:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:26427 https://access.redhat.com/errata/RHSA-2026:26427

Comment 5 errata-xmlrpc 2026-06-19 23:21:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:27288 https://access.redhat.com/errata/RHSA-2026:27288

Comment 6 errata-xmlrpc 2026-06-22 08:28:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:27789 https://access.redhat.com/errata/RHSA-2026:27789


Note You need to log in before you can comment on or make changes to this bug.