CRITICAL Published 2026-04-24

mm Folio UAF

CVE-2026-31589

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in the kernel's memory management can cause system crashes or potentially allow privilege escalation. When invalidating folios (memory pages), the kernel may access freed memory structures, leading to unpredictable behavior. This affects systems performing file I/O operations, especially those using streaming or uncached I/O patterns.

Affectedmm/truncate.c

Vulnerability analysis

Root Cause: In folio_unmap_invalidate(), the code calls filemap_free_folio() after removing the folio from the mapping and dropping locks. Once the folio is removed from the mapping, it no longer pins the mapping structure, allowing the mapping to be freed. When filemap_free_folio() later accesses mapping->a_ops, it dereferences a freed mapping structure.

Attack Surface: This vulnerability affects the memory management subsystem during folio invalidation operations. It can be triggered through file operations that involve page cache management, particularly when using streaming/uncached I/O with RWF_DONTCACHE. The bug requires local access to trigger file operations that lead to folio invalidation.

Fix Mechanism: The fix follows the same pattern as __remove_mapping() by loading the free_folio function pointer from mapping->a_ops before dropping the lock on the mapping. This ensures the function pointer is cached while the mapping is still valid. The code then calls the cached function pointer directly instead of going through filemap_free_folio(), which also allows making filemap_free_folio() static since it was the only external caller.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.27	`efc52947247a`
6.19	6.19.14	`b667df39d98a`
7.0	7.0.1	`c330e65ea59c`
mainline	7.1-rc1	`615d9bb2ccad`