CVE-2026-31481

EUVD-2026-24841

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

tracing: Drain deferred trigger frees if kthread creation fails

Boot-time trigger registration can fail before the trigger-data cleanup
kthread exists. Deferring those frees until late init is fine, but the
post-boot fallback must still drain the deferred list if kthread
creation never succeeds.

Otherwise, boot-deferred nodes can accumulate on
trigger_data_free_list, later frees fall back to synchronously freeing
only the current object, and the older queued entries are leaked
forever.

To trigger this, add the following to the kernel command line:

  trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon

The second traceon trigger will fail and be freed. This triggers a NULL
pointer dereference and crashes the kernel.

Keep the deferred boot-time behavior, but when kthread creation fails,
drain the whole queued list synchronously. Do the same in the late-init
drain path so queued entries are not stranded there either.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.164-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-1 fixed
forky	6.19.11-1 fixed
sid	6.19.13-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.74-2 fixed

References

https://git.kernel.org/stable/c/250ab25391edeeab8462b68be42e4904506c409c

https://git.kernel.org/stable/c/771624b7884a83bb9f922ae64ee41a5f8b7576c9