CVE-2026-31456 Overview
A race condition vulnerability has been identified in the Linux kernel's memory management subsystem, specifically within the walk_pud_range() function in mm/pagewalk. The vulnerability occurs when splitting a PUD (Page Upper Directory) entry races with a concurrent thread refaulting the PUD leaf entry, causing the kernel to attempt walking a PMD (Page Middle Directory) range that has been invalidated.
This vulnerability can be triggered when reading numa_maps of a process while VFIO-PCI is setting up DMA (specifically the vfio_pin_pages_remote call) on a large BAR for that process. The race condition results in a kernel BUG and system crash due to an inability to handle a page fault.
Critical Impact
Exploitation can cause kernel panic and system crashes, leading to denial of service conditions on affected Linux systems running concurrent memory operations with VFIO-PCI DMA setup.
Affected Products
- Linux Kernel (multiple versions with vulnerable mm/pagewalk implementation)
- Systems using VFIO-PCI for device passthrough
- Linux distributions running vulnerable kernel versions
Discovery Timeline
- April 22, 2026 - CVE CVE-2026-31456 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31456
Vulnerability Analysis
The vulnerability resides in the Linux kernel's page table walking infrastructure within the memory management subsystem. When the kernel traverses page tables via walk_pud_range(), it can encounter a race condition where a PUD entry is being split while another thread simultaneously attempts to refault the same PUD leaf entry.
The problematic sequence occurs when:
- Thread A initiates a page walk operation (e.g., reading /proc/[pid]/numa_maps)
- Thread B performs VFIO-PCI DMA setup, calling vfio_pin_pages_remote() on a large BAR
- The PUD entry split in Thread A races with the PUD leaf refault in Thread B
- Thread A attempts to descend into a PMD range that no longer exists
This results in the kernel attempting to access invalid memory addresses (as shown in the crash dump at address ffffa23980000000), triggering an Oops with "unable to handle page fault" followed by a kernel BUG.
Root Cause
The root cause is the lack of proper synchronization when reading PUD entries during page table walks. The walk_pud_range() function does not take a stable snapshot of the PUD entry before descending into PMD ranges, allowing the entry to change between the time it's checked and when it's used (a classic Time-of-Check Time-of-Use pattern).
The fix addresses this by:
- Using pudp_get() to obtain a stable snapshot of the PUD entry in walk_pmd_range()
- Validating that the PUD is present and not a leaf before proceeding
- Returning ACTION_AGAIN to retry the walk if validation fails, mirroring the retry logic already present in walk_pte_range()
Attack Vector
The vulnerability is triggered through concurrent memory management operations on Linux systems. While the attack vector requires local access and specific timing conditions, exploitation scenarios include:
- Reading /proc/[pid]/numa_maps while VFIO-PCI performs DMA setup
- Concurrent page table modifications during memory-intensive workloads
- Device passthrough operations with large BAR mappings racing with process introspection
The crash occurs in walk_pgd_range() at RIP 0010:walk_pgd_range+0x3b5/0x7a0, with the call trace showing the path through __walk_page_range(), walk_page_vma(), show_numa_map(), and the VFS read operations. The invalid memory access at CR2: ffffa23980000000 indicates the kernel dereferenced a pointer to freed or unmapped memory.
Detection Methods for CVE-2026-31456
Indicators of Compromise
- Kernel Oops messages containing "unable to handle page fault for address" with addresses in the kernel virtual address space
- Crash dumps showing RIP in walk_pgd_range, walk_pud_range, or related page walking functions
- System logs indicating BUG triggered during numa_maps reads or VFIO-PCI operations
- Kernel panics occurring during concurrent VFIO device setup and /proc filesystem access
Detection Strategies
- Monitor system logs (dmesg, /var/log/kern.log) for kernel Oops events involving walk_pgd_range or mm/pagewalk functions
- Implement kernel crash analysis to identify page fault patterns in memory management code paths
- Deploy kernel tracing (ftrace, eBPF) to detect concurrent access patterns to numa_maps during VFIO operations
- Configure kdump/kexec for crash dump collection to enable post-mortem analysis
Monitoring Recommendations
- Enable kernel panic logging and crash dump collection for affected systems
- Monitor for elevated VFIO-PCI activity combined with /proc filesystem access patterns
- Implement system health checks that detect kernel thread crashes in memory management paths
- Use SentinelOne's kernel-level monitoring capabilities to detect anomalous page table access patterns
How to Mitigate CVE-2026-31456
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the pudp_get() validation fix
- Review and apply commits from the official kernel git repository addressing this vulnerability
- Consider temporarily avoiding concurrent numa_maps reads during VFIO-PCI device setup operations
- Implement system monitoring for kernel crashes to detect exploitation attempts
Patch Information
The vulnerability has been addressed through commits in the stable kernel tree. The fix validates PUD entries using a stable snapshot via pudp_get() in walk_pmd_range() before descending further. If the PUD is not present or is a leaf, the code returns ACTION_AGAIN to retry the walk instead of accessing potentially invalid memory.
Relevant kernel commits:
Workarounds
- Avoid reading /proc/[pid]/numa_maps during VFIO-PCI device initialization with large BAR mappings
- Implement process isolation to prevent concurrent access to memory introspection interfaces during device passthrough setup
- Consider using cgroups or other isolation mechanisms to serialize access to affected code paths
- Deploy kernel live patching solutions if immediate reboot for kernel update is not feasible
# Check current kernel version
uname -r
# Verify if patch is applied by checking commit history
# (requires kernel source or git access)
git log --oneline mm/pagewalk.c | grep -i "fix race"
# Monitor for related kernel crashes
dmesg | grep -E "(walk_pgd_range|walk_pud_range|mm/pagewalk)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
