{"api_version":"1","generated_at":"2026-05-04T12:33:24+00:00","cve":"CVE-2026-31787","urls":{"html":"https://cve.report/CVE-2026-31787","api":"https://cve.report/api/cve/CVE-2026-31787.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31787","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31787"},"summary":{"title":"xen/privcmd: fix double free via VMA splitting","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-30 11:16:21","updated_at":"2026-05-04 09:16:00"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808","name":"https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2026/04/28/14","name":"http://www.openwall.com/lists/oss-security/2026/04/28/14","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a","name":"https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95","name":"https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://xenbits.xen.org/xsa/advisory-487.html","name":"http://xenbits.xen.org/xsa/advisory-487.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5","name":"https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0","name":"https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4","name":"https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f","name":"https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850","name":"https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31787","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31787","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da dbf862ce9f009128ab86b234d91413a3e450beb4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 2b985d3a024b9e8c24e21671b34e855569763808 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 1576ff3869cbd3620717195f971c85b7d7fd62b5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 402d84ad9e89bd4cbfd07ca8598532b7021daf95 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 2894a351fe2ea8684919d36df3188b9a35e3926f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 71bf829800758a6e3889096e4754ef47ba7fc850 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71f513985c22f1050295d1a7e4327cf9fb060da 24daca4fc07f3ff8cd0e3f629cd982187f48436a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.8","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.8 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.254 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.204 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.170 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.137 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.85 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.26 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.3 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc2 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31787","cve":"CVE-2026-31787","epss":"0.000330000","percentile":"0.094820000","score_date":"2026-05-03","updated_at":"2026-05-04 00:13:05"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-04-30T10:39:37.622Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/04/28/14"},{"url":"http://xenbits.xen.org/xsa/advisory-487.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/xen/privcmd.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"dbf862ce9f009128ab86b234d91413a3e450beb4","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"2b985d3a024b9e8c24e21671b34e855569763808","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"1576ff3869cbd3620717195f971c85b7d7fd62b5","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"402d84ad9e89bd4cbfd07ca8598532b7021daf95","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"2894a351fe2ea8684919d36df3188b9a35e3926f","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"446ee446d9ae66f36e95c3c90bbcc4e56b94cde0","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"71bf829800758a6e3889096e4754ef47ba7fc850","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"},{"lessThan":"24daca4fc07f3ff8cd0e3f629cd982187f48436a","status":"affected","version":"d71f513985c22f1050295d1a7e4327cf9fb060da","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/xen/privcmd.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.8"},{"lessThan":"3.8","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.254","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.204","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.170","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.137","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.85","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.26","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc2","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.254","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.204","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.170","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.137","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.85","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.26","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.3","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc2","versionStartIncluding":"3.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"}],"providerMetadata":{"dateUpdated":"2026-05-04T07:46:41.556Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"},{"url":"https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"},{"url":"https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"},{"url":"https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"},{"url":"https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"},{"url":"https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"},{"url":"https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"},{"url":"https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"}],"title":"xen/privcmd: fix double free via VMA splitting","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31787","datePublished":"2026-04-30T10:31:28.992Z","dateReserved":"2026-03-09T15:48:24.141Z","dateUpdated":"2026-05-04T07:46:41.556Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-30 11:16:21","lastModifiedDate":"2026-05-04 09:16:00","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31787","Ordinal":"1","Title":"xen/privcmd: fix double free via VMA splitting","CVE":"CVE-2026-31787","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31787","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787","Type":"Description","Title":"xen/privcmd: fix double free via VMA splitting"}]}}}