{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31554", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.115Z", "datePublished": "2026-04-24T14:35:38.527Z", "dateUpdated": "2026-05-11T22:11:01.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:01.744Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Require sys_futex_requeue() to have identical flags\n\nNicholas reported that his LLM found it was possible to create a UaF\nwhen sys_futex_requeue() is used with different flags. The initial\nmotivation for allowing different flags was the variable sized futex,\nbut since that hasn't been merged (yet), simply mandate the flags are\nidentical, as is the case for the old style sys_futex() requeue\noperations."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/futex/syscalls.c"], "versions": [{"version": "0f4b5f972216782a4acb1ae00dcb55173847c2ff", "lessThan": "027145ace09fad4c7cbcd6c61fe9b429c63eb0e5", "status": "affected", "versionType": "git"}, {"version": "0f4b5f972216782a4acb1ae00dcb55173847c2ff", "lessThan": "18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a", "status": "affected", "versionType": "git"}, {"version": "0f4b5f972216782a4acb1ae00dcb55173847c2ff", "lessThan": "e2f78c7ec1655fedd945366151ba54fcb9580508", "status": "affected", "versionType": "git"}, {"version": "0f4b5f972216782a4acb1ae00dcb55173847c2ff", "lessThan": "19f94b39058681dec64a10ebeb6f23fe7fc3f77a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/futex/syscalls.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/027145ace09fad4c7cbcd6c61fe9b429c63eb0e5"}, {"url": "https://git.kernel.org/stable/c/18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a"}, {"url": "https://git.kernel.org/stable/c/e2f78c7ec1655fedd945366151ba54fcb9580508"}, {"url": "https://git.kernel.org/stable/c/19f94b39058681dec64a10ebeb6f23fe7fc3f77a"}], "title": "futex: Require sys_futex_requeue() to have identical flags", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "92943666-715A-42F1-AF8E-6D1419BD7D3E", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.7:-:*:*:*:*:*:*", "matchCriteriaId": "62B55B1B-7D3E-499B-9C42-E9F1EF05A54A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Require sys_futex_requeue() to have identical flags\n\nNicholas reported that his LLM found it was possible to create a UaF\nwhen sys_futex_requeue() is used with different flags. The initial\nmotivation for allowing different flags was the variable sized futex,\nbut since that hasn't been merged (yet), simply mandate the flags are\nidentical, as is the case for the old style sys_futex() requeue\noperations."}], "id": "CVE-2026-31554", "lastModified": "2026-04-27T20:14:55.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:29.730", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/027145ace09fad4c7cbcd6c61fe9b429c63eb0e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/19f94b39058681dec64a10ebeb6f23fe7fc3f77a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e2f78c7ec1655fedd945366151ba54fcb9580508"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: futex: Require sys_futex_requeue() to have identical flags", "id": "2461526", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461526"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel. A local attacker could exploit a use-after-free vulnerability by calling the `sys_futex_requeue()` function with inconsistent flags. This could lead to a system crash, resulting in a denial of service, or potentially allow for privilege escalation."], "name": "CVE-2026-31554", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31554\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31554\nhttps://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31554-377c@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0f4b5f972216782a4acb1ae00dcb55173847c2ff,027145ace09fad4c7cbcd6c61fe9b429c63eb0e5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0f4b5f972216782a4acb1ae00dcb55173847c2ff,18b7d09c2b794c71d4252f3ea2cf84ad12b73d6a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0f4b5f972216782a4acb1ae00dcb55173847c2ff,e2f78c7ec1655fedd945366151ba54fcb9580508)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0f4b5f972216782a4acb1ae00dcb55173847c2ff,19f94b39058681dec64a10ebeb6f23fe7fc3f77a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:16:09.484685+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that enforces identical flags for sys_futex_requeue() (e.g., the latest stable release from the upstream repository).", "Audit and modify any system code that calls sys_futex_requeue() to ensure that all flag arguments are identical, preventing the use\u2011after\u2011free condition.", "Verify that any system services or libraries interacting with futex use matching flags and adjust them to comply after patching."], "summary": {"action": "Patch Now", "impact": "Use\u2011After\u2011Free in the Linux kernel"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Linux kernel releases that include the buggy sys_futex_requeue implementation, specifically kernel 6.7 and all 7.0 release candidate stages (rc1 through rc7).", "description_and_impact": "Calling sys_futex_requeue() with mismatched flags in the Linux kernel can trigger a use\u2011after\u2011free error, corrupting kernel memory and potentially allowing an attacker to gain arbitrary code execution or escalated privileges. The defect is characterized by CWE\u2011416.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a moderately high severity level, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. Because the vulnerability is not listed in CISA KEV, no widespread exploitation has been observed. The attack vector is likely local: an attacker must invoke sys_futex_requeue() with non\u2011identical flags, a condition that can be abused to corrupt kernel memory and potentially achieve privilege escalation or denial of service. Applying the patch that enforces identical flags eliminates this risk."}}}}, "created": "2026-04-27T19:15:11.617125+00:00", "updated": "2026-04-28T14:30:33.739100+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}