CVE-2026-31481

Summary

In the Linux kernel, the following vulnerability has been resolved:

tracing: Drain deferred trigger frees if kthread creation fails

Boot-time trigger registration can fail before the trigger-data cleanup kthread exists. Deferring those frees until late init is fine, but the post-boot fallback must still drain the deferred list if kthread creation never succeeds.

Otherwise, boot-deferred nodes can accumulate on trigger_data_free_list, later frees fall back to synchronously freeing only the current object, and the older queued entries are leaked forever.

To trigger this, add the following to the kernel command line:

trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon

The second traceon trigger will fail and be freed. This triggers a NULL pointer dereference and crashes the kernel.

Keep the deferred boot-time behavior, but when kthread creation fails, drain the whole queued list synchronously. Do the same in the late-init drain path so queued entries are not stranded there either.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux61d445af0a7c70018111919e47beaaee15653f2f < 771624b7884a83bb9f922ae64ee41a5f8b7576c9affected
LinuxLinux61d445af0a7c70018111919e47beaaee15653f2f < 250ab25391edeeab8462b68be42e4904506c409caffected
LinuxLinux6.19affected
LinuxLinux0 < 6.19unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References