VYPR
← All advisories
High severity7.8NVD Advisory· Published Apr 3, 2026· Updated May 20, 2026

CVE-2026-31397

CVE-2026-31397

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap.

In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL, pgprot) passes NULL through folio_pfn() and page_to_pfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference.

Use page_folio(src_page) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout.

After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vm_normal_page_pmd() continues to treat them as special mappings.

move_pages_huge_pmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmd_special() on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result, vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount.

Instead of reconstructing the PMD from the folio, derive the destination entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD metadata the same way move_huge_pmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-of-NULL-folio bug in Linux huge page migration can install bogus PMD entries, leading to memory corruption.

Vulnerability

CVE-2026-31397 is a use-of-NULL-folio vulnerability in the Linux kernel's huge page migration code. The function move_pages_huge_pmd() handles moving transparent huge pages (THPs) via UFFDIO_MOVE. When moving a huge zero page, the variable src_folio is explicitly set to NULL. This NULL folio is subsequently passed to folio_mk_pmd(NULL, pgprot), which internally calls folio_pfn() and page_to_pfn(). On memory models using SPARSEMEM_VMEMMAP, this yields a bogus PFN (physical frame number) without a crash, resulting in the installation of a PMD entry pointing to non-existent physical memory. On other memory models, it causes a NULL pointer dereference [1].

Exploitation

To trigger this bug, an attacker must have the ability to perform userfaultfd operations (UFFDIO_MOVE) on huge pages—specifically on a huge zero page—and the affected kernel must be built with transparent huge page support. The bug is local, requiring a user with userfaultfd access (or a process that can control the huge zero page mapping). The attacker does not need physical access; the exploitation is done via specific syscalls that invoke the huge page migration path [2].

Impact

Successful exploitation can cause memory corruption by creating PMD table entries that map to non-existent physical pages. On SPARSEMEM_VMEMMAP systems, this corrupts the page table state silently, potentially leading to kernel crashes (denial of service) or, if carefully orchestrated, could be leveraged for privilege escalation or arbitrary read/write. Additionally, the patch notes that after a related commit (d82d09e48219), the huge zero PMD must remain special; the buggy reconstruction of the destination PMD drops the pmd_special() flag, causing vm_normal_page_pmd() to treat it as a normal page and corrupt its refcount, further increasing the impact [3].

Mitigation

The vulnerability is fixed in the Linux kernel stable trees by commits e3133d0986dc, f3caaee0f9e4, and fae654083bfa. These changes ensure that src_folio is correctly derived from the page (via page_folio(src_page)) and that the destination PMD is derived from the source PMD value after the clear and flush, preserving special flags. Users should apply the latest stable kernel updates or backport the fix. No workaround is mentioned besides avoiding the use of UFFDIO_MOVE on huge zero pages until patched.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.