CVE-2026-31654 Overview
A memory leak vulnerability has been identified in the Linux kernel's memory management subsystem, specifically within the __mmap_region() function. The flaw occurs when memory-mapping /dev/zero with MAP_SHARED flags, where an error in the code path fails to properly release a newly allocated shmem file when __mmap_new_vma() fails.
The vulnerability was introduced when commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps the file") addressed the success path by skipping get_file() via file_doesnt_need_get, but inadvertently missed handling the error path. This oversight results in unreferenced kernel memory objects that cannot be reclaimed, leading to system memory exhaustion over time.
Critical Impact
Repeated exploitation of this memory leak can lead to system resource exhaustion, resulting in denial of service conditions affecting system stability and availability.
Affected Products
- Linux Kernel version 6.19
- Linux Kernel version 7.0-rc1 through 7.0-rc7
- Linux Kernel (various versions with affected mm/vma code)
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-31654 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31654
Vulnerability Analysis
This vulnerability represents a classic memory leak pattern in kernel code where resource cleanup in error handling paths is incomplete. When a user-space application attempts to memory-map /dev/zero using the mmap() system call with MAP_SHARED flags, the kernel invokes mmap_zero_prepare() which subsequently calls shmem_zero_setup_desc(). This function allocates a new shmem file structure to back the memory mapping.
The problem manifests when __mmap_new_vma() fails after the shmem file has been allocated. In this scenario, the original file reference is properly released by ksys_mmap_pgoff(), but the newly allocated replacement shmem file is never released via fput(). Each failed operation leaves a 360-byte unreferenced kernel object in memory that cannot be garbage collected.
The vulnerability was discovered using syzkaller fuzzing combined with fault injection, demonstrating that the leak is reproducible under controlled failure conditions. The kmemleak tool confirms the memory leak by reporting unreferenced objects with a backtrace pointing to alloc_file_pseudo() → __shmem_file_setup() → shmem_zero_setup_desc() → mmap_zero_prepare() → __mmap_region().
Root Cause
The root cause is an incomplete error handling path in the __mmap_region() function. While commit 605f6586ecf7 correctly handled the success path for file swapping during mmap preparation, it failed to add corresponding cleanup code for the error path. Specifically, when .mmap_prepare swaps the backing file and subsequent operations fail, the swapped file's reference count is not decremented, resulting in a permanent memory leak.
The fix requires adding an fput() call for the swapped file in the error handling section of __mmap_region() to ensure proper resource cleanup regardless of whether the operation succeeds or fails.
Attack Vector
The vulnerability requires local access to exploit. An attacker with the ability to execute code on the system can trigger the memory leak through the following mechanism:
When mapping /dev/zero with MAP_SHARED, the kernel's mmap_zero_prepare() function creates a new shmem file to back the mapping. If a subsequent kernel allocation fails (which can happen naturally under memory pressure or be induced via fault injection), the error path does not release this newly created file. By repeatedly attempting mmap operations that trigger this failure condition, an attacker can gradually exhaust kernel memory, leading to system instability or denial of service.
The attack does not require elevated privileges, though the practical exploitability depends on the ability to trigger failures in __mmap_new_vma() or subsequent functions in the mmap code path.
Detection Methods for CVE-2026-31654
Indicators of Compromise
- Unexplained growth in kernel slab memory usage, particularly in file-related caches
- Reports from kmemleak showing unreferenced objects originating from alloc_file_pseudo() or __shmem_file_setup()
- Gradual system memory exhaustion without corresponding user-space memory growth
- System instability or out-of-memory (OOM) conditions on servers with heavy mmap usage
Detection Strategies
- Enable and monitor kmemleak (/sys/kernel/debug/kmemleak) to detect unreferenced memory objects matching the vulnerability signature
- Monitor /proc/meminfo for abnormal Slab memory growth patterns that don't correlate with system activity
- Implement memory usage trending and alerting for kernel memory pools to identify gradual leaks
- Deploy SentinelOne agents to monitor for anomalous system behavior patterns indicative of resource exhaustion attacks
Monitoring Recommendations
- Configure automated kmemleak scans on production systems running affected kernel versions
- Set up alerts for kernel slab memory exceeding baseline thresholds by more than 20%
- Monitor system calls related to mmap operations for unusual patterns or high failure rates
- Implement resource usage baseline monitoring to detect gradual memory consumption trends
How to Mitigate CVE-2026-31654
Immediate Actions Required
- Update affected Linux kernel installations to a patched version containing commits 61fc8eaf2ab214b32c7bce52597c80cf0ca41ada or 894f99eb535edc4514f756818f3c4f688ba53a59
- Prioritize patching systems with high mmap activity, such as database servers and containerized environments
- Monitor affected systems for signs of memory exhaustion while awaiting patch deployment
- Consider scheduling maintenance windows to apply kernel updates with required reboots
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix adds proper fput() cleanup for the swapped file in the error path of __mmap_region().
Two patch commits are available:
Organizations should obtain patched kernel versions through their Linux distribution's standard update channels or build from the patched upstream source.
Workarounds
- No official workarounds are available; patching is the recommended remediation
- Implement memory monitoring and alerting to detect potential exploitation attempts before system impact
- Consider restarting affected systems periodically to reclaim leaked memory as a temporary measure
- Limit local user access on critical systems to reduce attack surface until patches can be applied
# Check current kernel version for affected releases
uname -r
# Enable kmemleak for monitoring (requires CONFIG_DEBUG_KMEMLEAK)
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak | grep -A10 "__shmem_file_setup"
# Monitor slab memory usage
cat /proc/meminfo | grep Slab
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
