CRITICALCVE-2026-31589Published Modified CNA Linux
CVE-2026-31589: mm: call ->free_folio() directly in folio_unmap_invalidate()
In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
Fix available
06.18.276.19.14615d9bb2ccad42f9e21d837431e401db2e4711957.0.17.1-rc1b667df39d98a7a24be7c2a40ff0863dac1ad2cd7c330e65ea59c4805d6ab6757c4ddfe8c63acef31efc52947247a21bbf79059539bbbd40f4ea76f00
Affected packages
- Linux / Linux< efc52947247a21bbf79059539bbbd40f4ea76f00 (from fb7d3bc4149395c1ae99029c852eab6c28fc3c88) · < b667df39d98a7a24be7c2a40ff0863dac1ad2cd7 (from fb7d3bc4149395c1ae99029c852eab6c28fc3c88) · < c330e65ea59c4805d6ab6757c4ddfe8c63acef31 (from fb7d3bc4149395c1ae99029c852eab6c28fc3c88) · < 615d9bb2ccad42f9e21d837431e401db2e471195 (from fb7d3bc4149395c1ae99029c852eab6c28fc3c88)
- Linux / Linux6.14Fixed in 0, 6.18.27, 6.19.14, 7.0.1, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H