CVE-2026-31541 (GCVE-0-2026-31541)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-05-11 22:10
VLAI
Title
tracing: Fix trace_marker copy link list updates
Summary
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86 , < 75668e58244e63ec3785098a02e1cdcff14a6c2e (git)
Affected: 7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86 , < cc267e4b4302247dc67ef937a9ac587a696a43c1 (git)
Affected: 7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86 , < 07183aac4a6828e474f00b37c9d795d0d99e18a7 (git)
Create a notification for this product.
Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.20 , ≤ 6.18.* (semver)
Unaffected: 6.19.10 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "75668e58244e63ec3785098a02e1cdcff14a6c2e",
              "status": "affected",
              "version": "7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86",
              "versionType": "git"
            },
            {
              "lessThan": "cc267e4b4302247dc67ef937a9ac587a696a43c1",
              "status": "affected",
              "version": "7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86",
              "versionType": "git"
            },
            {
              "lessThan": "07183aac4a6828e474f00b37c9d795d0d99e18a7",
              "status": "affected",
              "version": "7b382efd5e8af4c0c67e70ad3fb599dcd2dc0b86",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix trace_marker copy link list updates\n\nWhen the \"copy_trace_marker\" option is enabled for an instance, anything\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\ninstances buffer. When the option is set, that instance\u0027s trace_array\ndescriptor is added to the marker_copies link list. This list is protected\nby RCU, as all iterations uses an RCU protected list traversal.\n\nWhen the instance is deleted, all the flags that were enabled are cleared.\nThis also clears the copy_trace_marker flag and removes the trace_array\ndescriptor from the list.\n\nThe issue is after the flags are called, a direct call to\nupdate_marker_trace() is performed to clear the flag. This function\nreturns true if the state of the flag changed and false otherwise. If it\nreturns true here, synchronize_rcu() is called to make sure all readers\nsee that its removed from the list.\n\nBut since the flag was already cleared, the state does not change and the\nsynchronization is never called, leaving a possible UAF bug.\n\nMove the clearing of all flags below the updating of the copy_trace_marker\noption which then makes sure the synchronization is performed.\n\nAlso use the flag for checking the state in update_marker_trace() instead\nof looking at if the list is empty."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:10:46.355Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7"
        }
      ],
      "title": "tracing: Fix trace_marker copy link list updates",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31541",
    "datePublished": "2026-04-24T14:33:10.505Z",
    "dateReserved": "2026-03-09T15:48:24.114Z",
    "dateUpdated": "2026-05-11T22:10:46.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31541",
      "date": "2026-05-25",
      "epss": "0.00013",
      "percentile": "0.02274"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31541\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:28.117\",\"lastModified\":\"2026-04-28T18:50:29.970\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Fix trace_marker copy link list updates\\n\\nWhen the \\\"copy_trace_marker\\\" option is enabled for an instance, anything\\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\\ninstances buffer. When the option is set, that instance\u0027s trace_array\\ndescriptor is added to the marker_copies link list. This list is protected\\nby RCU, as all iterations uses an RCU protected list traversal.\\n\\nWhen the instance is deleted, all the flags that were enabled are cleared.\\nThis also clears the copy_trace_marker flag and removes the trace_array\\ndescriptor from the list.\\n\\nThe issue is after the flags are called, a direct call to\\nupdate_marker_trace() is performed to clear the flag. This function\\nreturns true if the state of the flag changed and false otherwise. If it\\nreturns true here, synchronize_rcu() is called to make sure all readers\\nsee that its removed from the list.\\n\\nBut since the flag was already cleared, the state does not change and the\\nsynchronization is never called, leaving a possible UAF bug.\\n\\nMove the clearing of all flags below the updating of the copy_trace_marker\\noption which then makes sure the synchronization is performed.\\n\\nAlso use the flag for checking the state in update_marker_trace() instead\\nof looking at if the list is empty.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.18.20\",\"matchCriteriaId\":\"1C570CE1-BC61-4BE6-9393-FD0CA8637367\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.10\",\"matchCriteriaId\":\"96D34333-38BE-4414-9E79-6EB764329581\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.