CVE-2026-31507

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A double-free issue exists in the SMC implementation of the Linux kernel. The smc rx splice() function allocates an smc spd priv object per pipe buffer and stores the pointer in pipe buffer.private. When the tee() system call duplicates a pipe buffer, the smc spd priv pointer is shared between the original and the cloned buffer because the .get callback only increments the page reference count. Consequently, when both pipes are released, the smc rx pipe buf release() function is called twice for the same object, leading to a slab-use-after-free and a potential kernel panic via a NULL-pointer dereference in the smc rx update consumer() function.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.