HIGH
futex Requeue UAF
CVE-2026-31554
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: futex: Require sys_futex_requeue() to have identical flags Nicholas reported that his LLM found it was possible to create a UaF when sys_futex_requeue() is used with different flags. The initial motivation for allowing different flags was the variable sized futex, but since that hasn't been merged (yet), simply mandate the flags are identical, as is the case for the old style sys_futex() requeue operations.
02KernelScan AI Analysis
Risk summary
A local attacker with the ability to make system calls could trigger a use-after-free vulnerability in the futex subsystem by calling sys_futex_requeue() with different flags. This could potentially lead to memory corruption, privilege escalation, or system crashes.
Vulnerability analysis
Root Cause: The sys_futex_requeue() syscall allowed different flags between source and destination futexes, which could lead to a use-after-free condition. When futexes with different flags are requeued, the kernel may handle them with different memory management semantics, potentially causing freed memory to be accessed.
Attack Surface: This is a local vulnerability requiring the ability to make system calls. An attacker would need to call sys_futex_requeue() with carefully crafted arguments containing different flags for the source and destination futexes to trigger the use-after-free condition.
Fix Mechanism: The patch adds a validation check that requires both futexes (source and destination) to have identical flags before proceeding with the requeue operation. This prevents the problematic scenario where different flag combinations could lead to memory corruption.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.80 | 027145ace09f |
| 6.18 | 6.18.21 | 18b7d09c2b79 |
| 6.19 | 6.19.11 | e2f78c7ec165 |
| mainline | 7.0 | 19f94b390586 |