CVE-2026-31744 Overview
CVE-2026-31744 is a NULL pointer dereference vulnerability in the Linux kernel's Power Management Energy Model (PM/EM) subsystem. The flaw resides in the dev_energymodel_nl_get_perf_domains_doit() netlink handler. This function calls em_perf_domain_get_by_id() and forwards its return value to __em_nl_get_pd_size() without verifying the pointer is valid. When a caller supplies a non-existent performance domain ID, em_perf_domain_get_by_id() returns NULL, and the subsequent dereference of pd->cpus triggers a kernel crash. The vulnerability affects Linux kernel versions 6.19-rc6 through 7.0-rc7 and is tracked under [CWE-476].
Critical Impact
A local, low-privileged user can crash the kernel by sending a crafted netlink request with an invalid performance domain ID, resulting in denial of service.
Affected Products
- Linux Kernel 6.19-rc6, rc7, rc8
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Distributions shipping the affected mainline release candidates
Discovery Timeline
- 2026-05-01 - CVE-2026-31744 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31744
Vulnerability Analysis
The vulnerability resides in the Energy Model netlink interface used by user space to query performance domain metadata. The dev_energymodel_nl_get_perf_domains_doit() handler resolves a user-supplied performance domain identifier through em_perf_domain_get_by_id(). This lookup function returns NULL when the requested ID does not match any registered performance domain.
The handler does not validate the return value before invoking __em_nl_get_pd_size(). Inside that helper, the code dereferences pd->cpus at structure offset 0x30, which causes a NULL pointer dereference and a kernel oops. The sister handler dev_energymodel_nl_get_perf_table_doit() already implements the correct pattern by routing through __em_nl_get_pd_table_id(), which returns NULL and triggers an -EINVAL response to the caller.
Root Cause
The root cause is a missing NULL check on the return value of em_perf_domain_get_by_id() in the get-perf-domains netlink do handler. The function contract permits NULL returns, but the caller treats the result as always valid. This is a classic [CWE-476] NULL Pointer Dereference defect introduced when the netlink interface for the Energy Model was added.
Attack Vector
Exploitation requires local access with permission to send netlink messages to the kernel's Energy Model generic netlink family. An unprivileged attacker constructs a netlink request to the get-perf-domains command and supplies an integer performance domain ID that does not correspond to any registered domain. The kernel handler proceeds to dereference the NULL pointer, producing a kernel oops. The result is a system-wide denial of service. The vulnerability does not expose memory contents or allow code execution, but it disrupts availability for all users on the affected host.
The upstream fix adds a NULL check after em_perf_domain_get_by_id() and returns -EINVAL when no matching domain exists, mirroring the behavior of the perf-table sister handler.
Detection Methods for CVE-2026-31744
Indicators of Compromise
- Kernel oops messages referencing __em_nl_get_pd_size or dev_energymodel_nl_get_perf_domains_doit in dmesg or /var/log/kern.log
- Unexpected kernel panics on hosts running affected 6.19-rc or 7.0-rc kernels
- Repeated netlink traffic from non-privileged user-space processes targeting the Energy Model generic netlink family
Detection Strategies
- Monitor kernel ring buffer output for NULL pointer dereference traces that include the Energy Model call path
- Audit running kernel versions across the fleet using uname -r and flag hosts in the 6.19-rc6 through 7.0-rc7 range
- Correlate process-level netlink socket activity with subsequent kernel crash events
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on oops or panic signatures naming the EM subsystem
- Track host availability and unplanned reboots on systems running release-candidate kernels
- Restrict and log local user access to systems running pre-release kernels until patched
How to Mitigate CVE-2026-31744
Immediate Actions Required
- Identify all hosts running Linux kernel 6.19-rc6 through 7.0-rc7 and prioritize patching
- Apply the upstream stable commits 9badc2a84e688be1275bb740942d5f6f51746908 and ab09b9a1e3b02ff62c5aebe3b12b0cb4cb4ea8ab
- Avoid deploying release-candidate kernels in production environments where local DoS is a meaningful risk
Patch Information
The fix adds a NULL check on the return value of em_perf_domain_get_by_id() inside dev_energymodel_nl_get_perf_domains_doit() and returns -EINVAL when the performance domain ID is not found. The patch is available in the upstream stable tree. See the Kernel Git Commit and the follow-up Kernel Git Commit for the source-level changes.
Workarounds
- Downgrade affected systems to a stable Linux kernel release that does not include the vulnerable Energy Model netlink handler
- Restrict local shell and code execution access on affected hosts to trusted administrators only
- Use Linux Security Modules or seccomp policies to limit which processes can open AF_NETLINK sockets to the generic netlink family
# Verify running kernel version
uname -r
# Apply distribution kernel updates (Debian/Ubuntu)
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r)
# Apply distribution kernel updates (RHEL/Fedora)
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
