{
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY",
    "id" : "2461484",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461484"
  },
  "cwe" : "CWE-364",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY\nfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,\nas documented in mm/filemap.c:\n\"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock\nmay be dropped before doing I/O or by lock_folio_maybe_drop_mmap().\"\nWhen this happens, a concurrent munmap() can call remove_vma() and free\nthe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then\nbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() call\ndereferences it -- a use-after-free.\nFix this by saving ip_blkno as a plain integer before calling\nfilemap_fault(), and removing vma from the trace event. Since\nip_blkno is copied by value before the lock can be dropped, it\nremains valid regardless of what happens to the vma or inode\nafterward.", "A flaw was found in the Linux kernel's OCFS2 (Oracle Cluster File System version 2) component. A local attacker could exploit a use-after-free vulnerability when `filemap_fault()` drops the `mmap_lock` before returning `VM_FAULT_RETRY`. This allows a concurrent `munmap()` operation to free a `vm_area_struct`, leading to `ocfs2_fault()` dereferencing a dangling pointer. This issue can result in system instability or crashes." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31597\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31597\nhttps://lore.kernel.org/linux-cve-announce/2026042417-CVE-2026-31597-79cd@gregkh/T" ],
  "name" : "CVE-2026-31597",
  "csaw" : false
}