CVE-2026-31555

EUVD-2026-25448
In the Linux kernel, the following vulnerability has been resolved:

futex: Clear stale exiting pointer in futex_lock_pi() retry path

Fuzzying/stressing futexes triggered:

    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524

When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
and stores a refcounted task pointer in 'exiting'.

After wait_for_owner_exiting() consumes that reference, the local pointer
is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
different error, the bogus pointer is passed to wait_for_owner_exiting().

  CPU0			     CPU1		       CPU2
  futex_lock_pi(uaddr)
  // acquires the PI futex
  exit()
    futex_cleanup_begin()
      futex_state = EXITING;
			     futex_lock_pi(uaddr)
			       futex_lock_pi_atomic()
				 attach_to_pi_owner()
				   // observes EXITING
				   *exiting = owner;  // takes ref
				   return -EBUSY
			       wait_for_owner_exiting(-EBUSY, owner)
				 put_task_struct();   // drops ref
			       // exiting still points to owner
			       goto retry;
			       futex_lock_pi_atomic()
				 lock_pi_update_atomic()
				   cmpxchg(uaddr)
					*uaddr ^= WAITERS // whatever
				   // value changed
				 return -EAGAIN;
			       wait_for_owner_exiting(-EAGAIN, exiting) // stale
				 WARN_ON_ONCE(exiting)

Fix this by resetting upon retry, essentially aligning it with requeue_pi.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
4.4.255 ≤
𝑥
< 4.5
linuxlinux_kernel
4.9.255 ≤
𝑥
< 4.10
linuxlinux_kernel
4.14.158 ≤
𝑥
< 4.15
linuxlinux_kernel
4.19.172 ≤
𝑥
< 4.20
linuxlinux_kernel
5.4.1 ≤
𝑥
< 5.5
linuxlinux_kernel
5.5.1 ≤
𝑥
< 5.10.253
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.203
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.168
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.131
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.80
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.21
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.11
linuxlinux_kernel
5.5
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
linuxlinux_kernel
7.0:rc7
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
bpftool6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
bpftool6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-headers
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-libbpf-static
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-livepatch-6.1.168-202.320
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.12.80-105.147
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.18.25-52.107
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-modules-extra
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel-tools-devel
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf-devel
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf-static
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
perf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
python3-perf-debuginfo
Amazon Linux 2023
1:6.1.168-202.320.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.134.1-2.azl3
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85