CVE-2026-31787

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A double free issue exists in the Xen privcmd driver. The privcmd vm ops defines a .close function (privcmd close) but lacks .may split and .open callbacks. When a partial munmap() is performed on a privcmd mapping, the kernel splits the Virtual Memory Area (VMA) via split vma(). Because may split is NULL, the split is permitted, and vm area dup() copies the vm private data (a pages array) into the new VMA. Consequently, both VMAs point to the same pages array. When the unmapped portion is closed, privcmd close() frees the pages array, leaving the surviving VMA with a dangling pointer. A subsequent destruction of the surviving VMA triggers the same sequence, resulting in a double free.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.