xen/privcmd: fix double free via VMA splitting

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-31787
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-30 11:16:21 UTC
Updated2026-05-04 09:16:00 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787

Risk And Classification

EPSS: 0.000330000 probability, percentile 0.094820000 (date 2026-05-03)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da dbf862ce9f009128ab86b234d91413a3e450beb4 git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 2b985d3a024b9e8c24e21671b34e855569763808 git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 1576ff3869cbd3620717195f971c85b7d7fd62b5 git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 402d84ad9e89bd4cbfd07ca8598532b7021daf95 git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 2894a351fe2ea8684919d36df3188b9a35e3926f git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 71bf829800758a6e3889096e4754ef47ba7fc850 git Not specified
CNA Linux Linux affected d71f513985c22f1050295d1a7e4327cf9fb060da 24daca4fc07f3ff8cd0e3f629cd982187f48436a git Not specified
CNA Linux Linux affected 3.8 Not specified
CNA Linux Linux unaffected 3.8 semver Not specified
CNA Linux Linux unaffected 5.10.254 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.204 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.170 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.137 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.85 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.26 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.3 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc2 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
www.openwall.com/lists/oss-security/2026/04/28/14 af854a3a-2127-422b-91ae-364da2661108 www.openwall.com
git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
xenbits.xen.org/xsa/advisory-487.html af854a3a-2127-422b-91ae-364da2661108 xenbits.xen.org
git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report