CVE-2026-31541

EUVD-2026-25434
In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copy_trace_marker" option is enabled for an instance, anything
written into /sys/kernel/tracing/trace_marker is also copied into that
instances buffer. When the option is set, that instance's trace_array
descriptor is added to the marker_copies link list. This list is protected
by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared.
This also clears the copy_trace_marker flag and removes the trace_array
descriptor from the list.

The issue is after the flags are called, a direct call to
update_marker_trace() is performed to clear the flag. This function
returns true if the state of the flag changed and false otherwise. If it
returns true here, synchronize_rcu() is called to make sure all readers
see that its removed from the list.

But since the flag was already cleared, the state does not change and the
synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copy_trace_marker
option which then makes sure the synchronization is performed.

Also use the flag for checking the state in update_marker_trace() instead
of looking at if the list is empty.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.16 ≤
𝑥
< 6.18.20
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.10
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool6.18
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel-livepatch-6.18.20-20.229
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-libbpf
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-libbpf-debuginfo
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-libbpf-devel
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-libbpf-static
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.20-20.229.amzn2023
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7
https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e
https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1