Linux · Linux Kernel · CVE-2026-31787
**Name of the Vulnerable Software and Affected Versions**
Linux kernel (affected versions not specified)
**Description**
A double free issue exists in the Xen privcmd driver. The `privcmd vm ops` defines a `.close` function (`privcmd close`) but lacks `.may split` and `.open` callbacks. When a partial `munmap()` is performed on a privcmd mapping, the kernel splits the Virtual Memory Area (VMA) via ` split vma()`. Because `may split` is NULL, the split is permitted, and `vm area dup()` copies the `vm private data` (a pages array) into the new VMA. Consequently, both VMAs point to the same pages array. When the unmapped portion is closed, `privcmd close()` frees the pages array, leaving the surviving VMA with a dangling pointer. A subsequent destruction of the surviving VMA triggers the same sequence, resulting in a double free.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.