CVE-2026-31555

In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83	Patch
https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa	Patch
https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa	Patch
https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23	Patch
https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293	Patch
https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d	Patch
https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da	Patch
https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.5:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

History

27 Apr 2026, 20:14

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		NVD-CWE-noinfo
First Time		Linux Linux linux Kernel
References	~~() https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83 -~~	() https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83 - Patch
References	~~() https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa -~~	() https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa - Patch
References	~~() https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa -~~	() https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa - Patch
References	~~() https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23 -~~	() https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23 - Patch
References	~~() https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293 -~~	() https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293 - Patch
References	~~() https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d -~~	() https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d - Patch
References	~~() https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da -~~	() https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da - Patch
References	~~() https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85 -~~	() https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85 - Patch
CPE		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:5.5:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

24 Apr 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-24 15:16

Updated : 2026-04-27 20:14

NVD link : CVE-2026-31555

Mitre link : CVE-2026-31555

CVE.ORG link : CVE-2026-31555

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10