CVE-2026-31555
Description
In the Linux kernel, the following vulnerability has been resolved:
futex: Clear stale exiting pointer in futex_lock_pi() retry path
Fuzzying/stressing futexes triggered:
WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'.
After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting().
CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting)
Fix this by resetting upon retry, essentially aligning it with requeue_pi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free-like kernel warning in futex_lock_pi() due to a stale 'exiting' pointer not being cleared on retry.
Vulnerability
Analysis
CVE-2026-31555 is a Linux kernel vulnerability in the FUTEX_LOCK_PI syscall path. When futex_lock_pi_atomic() detects that the futex owner is exiting, it returns -EBUSY and stores a refcounted pointer to the exiting task in the local variable exiting. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to NULL. On a subsequent retry without clearing the pointer leads to a WARN_ON() in wait_for_owner() because the stale pointer is passed again [1].
Exploitation
Scenario
The bug is triggered by concurrent futex operations and an exiting process. A local attacker on the same kernel can induce the race by issuing overlapping futex lock and exit calls. The attack requires no privileges beyond the ability to execute code and create threads on the system. The root cause is a missing pointer nullification in the retry path of futex_lock_pi() [1].
Impact
When the stale pointer is reused, the kernel triggers a WARN_ON() in core.c. This warning itself does not crash the system, but it indicates a potential logic error that could be escalated further. The official description and fix confirm that this is a local denial-of-service scenario as the warning conditions can be hit repeatedly by a malicious fuzzer or attacker [1].
Mitigation
Patches have been applied to the upstream Linux kernel repository and backported to stable branches. The fix aligns the behavior with the already corrected requeue_pi code path [1]. Administrators should apply the latest kernel updates from their distribution to eliminate the vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.4.255,<4.5
- cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83nvdPatch
- git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aanvdPatch
- git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefanvdPatch
- git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23nvdPatch
- git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293nvdPatch
- git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310dnvdPatch
- git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1danvdPatch
- git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85nvdPatch
News mentions
0No linked articles in our index yet.