CVE-2026-31398 Overview
A memory corruption vulnerability has been identified in the Linux kernel's memory management subsystem, specifically in the mm/rmap component. The flaw involves incorrect page table entry (PTE) restoration for lazyfree folios during batch unmap operations via folio_unmap_pte_batch(). When a batch contains a mix of writable and non-writable PTEs, the vulnerability may incorrectly set the entire batch as writable, breaking anonymous memory and Copy-on-Write (CoW) semantics.
Critical Impact
This vulnerability can cause kernel crashes and potentially allow a writable page to be mapped into the page tables of more than one process, violating fundamental memory isolation guarantees and CoW semantics.
Affected Products
- Linux kernel versions with vulnerable mm/rmap implementation
- Systems using 64K mTHP (multi-size Transparent Huge Pages)
- Linux kernel builds with CONFIG_PAGE_TABLE_CHECK enabled
Discovery Timeline
- April 3, 2026 - CVE-2026-31398 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31398
Vulnerability Analysis
The vulnerability resides in the folio_unmap_pte_batch() function within the Linux kernel's reverse mapping (mm/rmap) subsystem. This function is responsible for batch unmapping anonymous lazyfree folios. The core issue is that when processing a batch of PTEs with mixed writable and non-writable permissions, the function fails to properly respect the writable bit during batching operations.
During PTE restoration after a failed unmap of a lazyfree folio, the entire batch may be restored with writable permissions even when individual PTEs should remain non-writable. This breaks the fundamental invariant that anonymous pages should only be mapped writable into a single process's address space. The same issue affects the soft-dirty bit, which is used for tracking memory modifications.
Root Cause
The root cause is the improper handling of permission bits during PTE batching operations in folio_unmap_pte_batch(). The function aggregates PTEs for batch processing but does not preserve the individual writable and soft-dirty bit states when determining batch properties. This leads to permission escalation where non-writable PTEs inherit writable status from other PTEs in the same batch.
The bug manifests when:
- A large folio spans multiple PTEs with different permission states
- VMA splitting and merging operations create batches with mixed permissions
- MADV_FREE marks the folio as lazyfree
- Memory reclaim triggers the restoration path
Attack Vector
The vulnerability can be triggered through a specific sequence of memory operations. The exploitation scenario involves faulting in a 64K large folio, splitting the VMA using MADV_DONTFORK, calling fork() to create mixed writable/non-writable PTE states, merging VMAs with MADV_DOFORK, applying MADV_FREE to mark the folio as lazyfree, writing to memory to dirty the PTE, and then triggering reclaim to hit the PTE restoration path.
When the BUG_ON() check in page_table_check_set() detects that an anonymous page is being mapped writable into multiple processes' page tables, the kernel crashes with the error at mm/page_table_check.c:118.
Detection Methods for CVE-2026-31398
Indicators of Compromise
- Kernel panic or BUG messages referencing page_table_check_set+0x28c or similar offsets in mm/page_table_check.c
- Stack traces showing try_to_unmap_one, rmap_walk_anon, and shrink_folio_list in the call chain
- System crashes during memory reclaim operations with contpte_set_ptes in the trace
- Unexpected kernel oops messages with error code 00000000f2000800 on ARM64 systems
Detection Strategies
- Enable CONFIG_PAGE_TABLE_CHECK in kernel configuration to catch violations at runtime
- Monitor kernel logs for BUG messages related to anon_map_count assertions
- Implement system monitoring for unexpected kernel crashes during high memory pressure
- Review system logs for patterns indicating shrink_node or __node_reclaim operations preceding crashes
Monitoring Recommendations
- Configure crash dump collection (kdump) to capture kernel state during crashes for forensic analysis
- Monitor dmesg output for warnings related to memory management and rmap operations
- Set up alerts for kernel panic events on production systems
- Track memory reclaim statistics for anomalies that may indicate vulnerability exploitation attempts
How to Mitigate CVE-2026-31398
Immediate Actions Required
- Apply the latest kernel patches from the stable kernel tree addressing this vulnerability
- If patching is not immediately possible, consider disabling mTHP features temporarily
- Monitor systems for kernel crashes exhibiting the described call trace patterns
- Prioritize patching on systems under high memory pressure where reclaim is frequent
Patch Information
The Linux kernel maintainers have released patches to fix this vulnerability. The fix ensures that both the writable bit and soft-dirty bit are properly respected during PTE batching operations in folio_unmap_pte_batch().
Patches are available from the following kernel commits:
Workarounds
- Disable multi-size Transparent Huge Pages (mTHP) by setting mTHP to never instead of always
- Avoid using MADV_FREE (lazyfree) on memory regions that undergo VMA splitting and merging
- Consider disabling THP entirely on affected systems until patches can be applied
- Limit memory pressure on affected systems to reduce frequency of reclaim operations
# Disable mTHP temporarily as a workaround
echo never > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled
# Alternatively, disable THP entirely
echo never > /sys/kernel/mm/transparent_hugepage/enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
