IM
IronMonkey Threat Research

CVE-2026-31555 MEDIUM

Published: 2026-04-24 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en NVD-CWE-noinfo

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702b4032a340> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032b600> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032bf00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcbbf5d40> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcbbf5780> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcbbf7180> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcbbf6280> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032b480> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd8a5740> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcbbf4a40> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b40328380> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032b080> Operating System
linux linux_kernel 5.5 <built-in method update of dict object at 0x702c04787e40> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bcbbf6980> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b4032b3c0> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd8a6140> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b4032b640> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b40329940> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b4032ae40> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bde4f1840> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

References

Notification
Message here