CVE-2026-31398

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.0.0-rc1-00116-g018018a17770

Description A flaw was discovered in the Linux kernel's mm/rmap subsystem related to the restoration of page table entries (PTEs) for lazyfree folios. Specifically, when batch unmapping anonymous lazyfree folios, the code could incorrectly set the entire batch as writable, even if some entries were originally non-writable. This could lead to a kernel crash, as demonstrated by a provided reproducer involving MADV DONTFORK, fork(), MADV DOFORK, and MADV FREE operations. The issue stems from an incorrect handling of the writable bit during batching, potentially allowing writable pages to be mapped into multiple processes, violating anonymous memory/CoW semantics. The reproducer involves faulting a 64K large folio, splitting a VMA, forking a process, merging VMAs, and triggering reclaim, ultimately leading to a bug in page table check set().

Recommendations Update to Linux kernel version 7.0.0-rc1-00116-g018018a17770 or later.