製品・ソフトウェアに関する情報

JVN脆弱性詳細

LinuxのLinux Kernelにおける二重解放に関する脆弱性

Title	LinuxのLinux Kernelにおける二重解放に関する脆弱性
Summary	Linuxカーネルのmm/kasanサブシステムにおいて、kasan pXdsの二重解放の脆弱性が修正されました。本脆弱性は、一部のアーキテクチャ（例えば64Kページサイズのpowerpc）において、ページテーブルのメモリ解放時に不正なアドレス処理が行われ、kasanによる二重解放が発生する問題です。この問題は、ページテーブルが常にstruct pageにアラインされているという誤った前提に基づいていたため、powerpcなどの環境でメモリ破壊やシステムの不安定を引き起こしていました。修正により、ページテーブルの実際の物理アドレスを正しく扱うよう変更されており、これによりkasanの二重解放エラーを防止し、システムの安全性と安定性が向上します。
Possible impacts	当該ソフトウェアが扱う全ての情報が外部に漏れる可能性があります。また、当該ソフトウェアが扱う全ての情報が書き換えられる可能性があります。さらに、当該ソフトウェアが完全に停止する可能性があります。そして、この脆弱性を悪用した攻撃の影響は、他のソフトウェアには及びません。
Solution	リリース情報、またはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	April 27, 2026, midnight
Registration Date	May 8, 2026, 12:07 p.m.
Last Update	May 8, 2026, 12:07 p.m.

CVSS3.0 : 重要
Score	7.8
Vector	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected System

Linux

Linux Kernel 4.19 以上 6.6.136 未満

Linux Kernel 6.13 以上 6.18.24 未満

Linux Kernel 6.19 以上 6.19.14 未満

Linux Kernel 6.7 以上 6.12.83 未満

Linux Kernel 7.0 以上 7.0.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2026-31686	https://www.cve.org/CVERecord?id=CVE-2026-31686
National Vulnerability Database (NVD)
2	CVE-2026-31686	https://nvd.nist.gov/vuln/detail/CVE-2026-31686

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-415	https://cwe.mitre.org/data/definitions/415.html

その他

No	Name	URL
関連文書
1	mm/kasan: fix double free for kasan pXds - kernel/git/stable/linux.git - Linux kernel stable tree (https://git.kernel.org/stable/c/51d8c78be0c27ddb91bc2c0263941d8b30a47d3b)	https://git.kernel.org/stable/c/51d8c78be0c27ddb91bc2c0263941d8b30a47d3b
2	mm/kasan: fix double free for kasan pXds - kernel/git/stable/linux.git - Linux kernel stable tree (https://git.kernel.org/stable/c/85d98614e089a67dc6faa8ca766fe10a639f82b4)	https://git.kernel.org/stable/c/85d98614e089a67dc6faa8ca766fe10a639f82b4
3	mm/kasan: fix double free for kasan pXds - kernel/git/stable/linux.git - Linux kernel stable tree (https://git.kernel.org/stable/c/a05f77cb227c39c5069aea6f12762a29d1e6c103)	https://git.kernel.org/stable/c/a05f77cb227c39c5069aea6f12762a29d1e6c103
4	mm/kasan: fix double free for kasan pXds - kernel/git/stable/linux.git - Linux kernel stable tree (https://git.kernel.org/stable/c/b38237a2ea9c6c19836eee2c57037e1f9f103576)	https://git.kernel.org/stable/c/b38237a2ea9c6c19836eee2c57037e1f9f103576
5	mm/kasan: fix double free for kasan pXds - kernel/git/stable/linux.git - Linux kernel stable tree (https://git.kernel.org/stable/c/cec74b2ab7dff866b1d77eaa545b9e8fd14a1f87)	https://git.kernel.org/stable/c/cec74b2ab7dff866b1d77eaa545b9e8fd14a1f87
6	mm/kasan: fix double free for kasan pXds - kernel/git/stable/linux.git - Linux kernel stable tree (https://git.kernel.org/stable/c/f6204f7ff6aff62ce6242a76982c5ba3a9ded707)	https://git.kernel.org/stable/c/f6204f7ff6aff62ce6242a76982c5ba3a9ded707

Change Log

No	Changed Details	Date of change
1	[2026年05月08日] 掲載	May 8, 2026, 12:07 p.m.

NVD Vulnerability Information

CVE-2026-31686

Summary	In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. This fixes the below double free kasan issue seen with PMEM: radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages ================================================================== BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20 Free of addr c0000003c38e0000 by task ndctl/2164 CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries Call Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec ---- interrupt: 3000 at 0x7fff93b3d3f4 NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000 REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392) MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208 XER: 00000000 <...> NIP [00007fff93b3d3f4] 0x7fff93b3d3f4 LR [00007fff93b3d3f4] 0x7fff93b3d3f4 ---- interrupt: 3000 The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head\|node=6\|zone=0\|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected [ 138.953636] [ T2164] Memory state around the buggy address: [ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953669] [ T2164] ^ [ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953692] [ T2164] ================================================================== [ 138.953701] [ T2164] Disabling lock debugging due to kernel taint
Publication Date	April 28, 2026, 3:16 a.m.
Registration Date	April 28, 2026, 4:08 a.m.
Last Update	April 28, 2026, 3:32 a.m.

Related information, measures and tools

No	URL	refsource
1	https://git.kernel.org/stable/c/51d8c78be0c27ddb91bc2c0263941d8b30a47d3b	416baaa9-dc9f-4396-8d5f-8c081fb06d67
2	https://git.kernel.org/stable/c/85d98614e089a67dc6faa8ca766fe10a639f82b4	416baaa9-dc9f-4396-8d5f-8c081fb06d67
3	https://git.kernel.org/stable/c/a05f77cb227c39c5069aea6f12762a29d1e6c103	416baaa9-dc9f-4396-8d5f-8c081fb06d67
4	https://git.kernel.org/stable/c/b38237a2ea9c6c19836eee2c57037e1f9f103576	416baaa9-dc9f-4396-8d5f-8c081fb06d67
5	https://git.kernel.org/stable/c/cec74b2ab7dff866b1d77eaa545b9e8fd14a1f87	416baaa9-dc9f-4396-8d5f-8c081fb06d67
6	https://git.kernel.org/stable/c/f6204f7ff6aff62ce6242a76982c5ba3a9ded707	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Common Vulnerabilities List