{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31457", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.092Z", "datePublished": "2026-04-22T13:53:50.220Z", "dateUpdated": "2026-04-22T13:53:50.220Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:50.220Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr in repeat_call_fn\n\ndamon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),\ndamon_sysfs_upd_schemes_stats(), and\ndamon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. \nIf nr_contexts is set to 0 via sysfs while DAMON is running, these\nfunctions dereference contexts_arr[0] and cause a NULL pointer\ndereference. Add the missing check.\n\nFor example, the issue can be reproduced using DAMON sysfs interface and\nDAMON user-space tool (damo) [1] like below.\n\n $ sudo damo start --refresh_interval 1s\n $ echo 0 | sudo tee \\\n /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/damon/sysfs.c"], "versions": [{"version": "d809a7c64ba8229286b333c0cba03b1cdfb50238", "lessThan": "3527e9fdc38570cea0f6ddb7a2c9303d4044b217", "status": "affected", "versionType": "git"}, {"version": "d809a7c64ba8229286b333c0cba03b1cdfb50238", "lessThan": "652cd0641a763dd0e846b0d12814977fadb2b7d8", "status": "affected", "versionType": "git"}, {"version": "d809a7c64ba8229286b333c0cba03b1cdfb50238", "lessThan": "6557004a8b59c7701e695f02be03c7e20ed1cc15", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/damon/sysfs.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3527e9fdc38570cea0f6ddb7a2c9303d4044b217"}, {"url": "https://git.kernel.org/stable/c/652cd0641a763dd0e846b0d12814977fadb2b7d8"}, {"url": "https://git.kernel.org/stable/c/6557004a8b59c7701e695f02be03c7e20ed1cc15"}], "title": "mm/damon/sysfs: check contexts->nr in repeat_call_fn", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr in repeat_call_fn\n\ndamon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),\ndamon_sysfs_upd_schemes_stats(), and\ndamon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. \nIf nr_contexts is set to 0 via sysfs while DAMON is running, these\nfunctions dereference contexts_arr[0] and cause a NULL pointer\ndereference. Add the missing check.\n\nFor example, the issue can be reproduced using DAMON sysfs interface and\nDAMON user-space tool (damo) [1] like below.\n\n $ sudo damo start --refresh_interval 1s\n $ echo 0 | sudo tee \\\n /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts"}], "id": "CVE-2026-31457", "lastModified": "2026-04-22T14:16:41.133", "metrics": {}, "published": "2026-04-22T14:16:41.133", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3527e9fdc38570cea0f6ddb7a2c9303d4044b217"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/652cd0641a763dd0e846b0d12814977fadb2b7d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6557004a8b59c7701e695f02be03c7e20ed1cc15"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: mm/damon/sysfs: check contexts->nr in repeat_call_fn", "id": "2460721", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460721"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel. A local user can exploit this vulnerability by setting the `nr_contexts` parameter to zero via the DAMON sysfs interface while DAMON (Data Access MONitor) is active. This improper input validation leads to a NULL pointer dereference, which can cause a system crash and result in a Denial of Service (DoS)."], "name": "CVE-2026-31457", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31457\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31457\nhttps://lore.kernel.org/linux-cve-announce/2026042250-CVE-2026-31457-601a@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d809a7c64ba8229286b333c0cba03b1cdfb50238,3527e9fdc38570cea0f6ddb7a2c9303d4044b217)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d809a7c64ba8229286b333c0cba03b1cdfb50238,652cd0641a763dd0e846b0d12814977fadb2b7d8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d809a7c64ba8229286b333c0cba03b1cdfb50238,6557004a8b59c7701e695f02be03c7e20ed1cc15)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T19:07:05.714165+00:00", "value": {"mitigation_remediation": ["Apply an updated kernel that includes the null\u2011pointer check in damon_sysfs_repeat_call_fn.", "Disable or stop the Damon daemon before modifying its sysfs context settings.", "Restrict write access to /sys/kernel/mm/damon/* to trusted administrators only."], "summary": {"action": "Apply patch", "impact": "Denial of Service due to kernel crash"}, "threat_synthesis": {"affected_systems": "The flaw exists in any Linux kernel that includes the Damon daemon monitoring functionality. It affects installations where the sysfs settings for Damon\u2019s context count are accessible and can be modified while the daemon is running.", "description_and_impact": "The vulnerability is a NULL pointer dereference in the Linux kernel Damon subsystem. When the number of contexts is set to zero through the sysfs interface while Damon is active, internal functions dereference a null pointer and crash the kernel. This results in a system halt rather than arbitrary code execution.", "risk_and_exploitability": "Because the vulnerability is triggered by writing to /sys/kernel/mm/damon/... the attacker requires privileged access (root or similar). Once the kernel crashes, the system becomes unavailable, creating a denial\u2011of\u2011service condition. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating no public exploitation yet. However, a local attacker with sufficient rights can easily trigger the issue using the damo utility or direct sysfs manipulation. The CVSS score is unspecified, but the impact is high for systems with a live Damon process."}}}}, "created": "2026-04-22T17:15:21.909433+00:00", "title": "Null Pointer Dereference in DAMON Sysfs Leading to Crash", "updated": "2026-04-22T19:15:24.479329+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-690"]}