CVE-2026-31554 Overview
CVE-2026-31554 is a use-after-free (UaF) vulnerability [CWE-416] in the Linux kernel's futex subsystem. The flaw resides in the sys_futex_requeue() system call, which previously allowed callers to specify different flags for the source and target futexes. A local, low-privileged attacker can trigger the UaF by invoking sys_futex_requeue() with mismatched flag values, leading to memory corruption.
The issue was reported by a researcher named Nicholas, who identified the condition with assistance from a large language model. The original rationale for permitting different flags was support for variable-sized futexes, but that feature has not been merged. The fix mandates identical flags, matching the behavior of the legacy sys_futex() requeue path.
Critical Impact
A local attacker with low privileges can exploit this use-after-free condition to corrupt kernel memory, potentially leading to privilege escalation, kernel information disclosure, or denial of service.
Affected Products
- Linux kernel 6.7
- Linux kernel 7.0 release candidates (rc1 through rc7)
- Stable branches prior to the fix commits referenced in the kernel.org advisories
Discovery Timeline
- 2026-04-24 - CVE-2026-31554 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31554
Vulnerability Analysis
The futex (fast userspace mutex) subsystem provides the primitive used by glibc and other runtimes to implement mutexes, condition variables, and semaphores. The sys_futex_requeue() system call, introduced as part of the futex2 interface, moves waiters from one futex to another to avoid thundering-herd wake-ups.
The vulnerability stems from a logic gap in argument validation. When the source and target futexes are specified with differing flags, the kernel can construct waiter state that references a futex object under one set of assumptions while the corresponding object is freed or interpreted differently under another. The result is a dangling reference that the kernel later dereferences.
Exploitation requires local code execution on the target system. An attacker invokes the futex2 requeue syscall with carefully chosen mismatched flag combinations to race the kernel into freeing or replacing a futex structure while a waiter still references it. Subsequent kernel access to the freed object enables memory corruption primitives commonly leveraged for privilege escalation.
Root Cause
The root cause is missing validation that the flags passed for the source futex match those passed for the target futex in sys_futex_requeue(). The interface was designed with future variable-sized futex support in mind, which would have required different flag semantics per futex. Because that feature was never merged, the permissive flag handling created an exploitable inconsistency between waiter accounting and the underlying futex object lifecycle.
Attack Vector
The attack is local. A low-privileged user invokes the futex2 requeue syscall directly using syscall() with mismatched FUTEX2_* flag values for the source and target arguments. By controlling thread scheduling and racing the requeue operation against concurrent futex wait or wake operations, the attacker triggers the use-after-free. No user interaction is required, and the entire attack runs within a single unprivileged process.
No verified public exploit code is currently available. The upstream fix description and patch commits provide the authoritative technical details. See the Linux kernel patch commit e2f78c7e for the implementation of the flag-equality check.
Detection Methods for CVE-2026-31554
Indicators of Compromise
- Unexpected kernel oops or BUG: KASAN: use-after-free messages in dmesg referencing futex code paths such as futex_requeue, futex_wait_queue, or __futex_queue.
- Unprivileged processes issuing high volumes of futex2 syscalls (__NR_futex_waitv, __NR_futex_requeue) with anomalous flag combinations.
- Kernel panics or spontaneous reboots correlated with workloads that invoke futex requeue operations.
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test and pre-production kernels to surface use-after-free conditions during fuzzing or regression runs.
- Deploy auditd or eBPF-based syscall monitoring to flag uncommon use of the futex2 requeue syscall by non-system processes.
- Correlate kernel ring buffer entries containing futex with process-level telemetry to identify the originating binary and parent process tree.
Monitoring Recommendations
- Forward /var/log/kern.log and journalctl -k output to a centralized log platform and alert on futex-related crash signatures.
- Track installed kernel package versions across the fleet and flag hosts running 6.7 or 7.0-rc kernels without the patched commits.
- Monitor for process crashes followed by privilege changes (UID transitions to 0) within short time windows, a common post-exploitation pattern.
How to Mitigate CVE-2026-31554
Immediate Actions Required
- Inventory all Linux hosts and identify systems running kernel 6.7 or any 7.0 release candidate.
- Apply the upstream stable kernel update containing the futex requeue flag-equality fix as soon as your distribution publishes it.
- Restrict local shell access on multi-tenant systems and container hosts until patching is complete, since the attack requires local execution.
- Review container runtime configurations to ensure seccomp profiles restrict unnecessary syscalls for untrusted workloads.
Patch Information
The Linux kernel maintainers resolved the issue by requiring identical flags for both source and target arguments in sys_futex_requeue(). Patched commits are available on kernel.org:
Consult your distribution's security advisory for the specific package version that incorporates these commits.
Workarounds
- Apply a seccomp-bpf filter to block the futex_requeue syscall (syscall number __NR_futex_requeue) for untrusted processes and containers where the futex2 requeue interface is not required.
- Constrain untrusted workloads with user namespaces disabled and reduced capabilities to limit local attack surface.
- Where feasible, downgrade to a kernel branch that predates the futex2 requeue interface until the patched kernel is deployed.
# Verify running kernel version and check for patched commit
uname -r
# Example seccomp filter snippet (libseccomp) to deny futex_requeue
# Replace SCMP_SYS(futex_requeue) with the syscall name available in your libseccomp version
# scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
# seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(futex_requeue), 0);
# seccomp_load(ctx);
# Audit futex2 syscall usage with auditctl
auditctl -a always,exit -F arch=b64 -S futex_requeue -k futex2_requeue
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
