CVE-2026-31555

Summary

In the Linux kernel, the following vulnerability has been resolved:

futex: Clear stale exiting pointer in futex_lock_pi() retry path

Fuzzying/stressing futexes triggered:

WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524

When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'.

After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting().

CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting)

Fix this by resetting upon retry, essentially aligning it with requeue_pi.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < 33095ae3bdde5e5c264d7e88a2f3e7703a26c7aaaffected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < e7824ec168d2ac883a213cd1f4d6cc0816002a85affected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < 5e8e06bf8909e79b4acd950cf578cfc2f10bbefaaffected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < de7c0c04ad868f2cee6671b11c0a6d20421af1daaffected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < 7475dfad10a05a5bfadebf5f2499bd61b19ed293affected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < 92e47ad03e03dbb5515bdf06444bf6b1e147310daffected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < 71112e62807d1925dc3ae6188b11f8cfc85aec23affected
LinuxLinux3ef240eaff36b8119ac9e2ea17cbf41179c930ba < 210d36d892de5195e6766c45519dfb1e65f3eb83affected
LinuxLinuxf2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463affected
LinuxLinuxcf16e42709aa86aa3e37f3acc3d13d5715d90096affected
LinuxLinux61fa9f167caaa73d0a7c88f498eceeb12c6fa3dbaffected
LinuxLinux7874eee0130adf9bee28e8720bb5dd051089def3affected
LinuxLinuxfc3b55ef2c840bb2746b2d8121a0788de84f7facaffected
LinuxLinux4.4.255 < 4.5affected
LinuxLinux4.9.255 < 4.10affected
LinuxLinux4.14.158 < 4.15affected
LinuxLinux4.19.172 < 4.20affected
LinuxLinux5.4.1 < 5.5affected
LinuxLinux5.5affected
LinuxLinux0 < 5.5unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.131 <= 6.6.*unaffected
LinuxLinux6.12.80 <= 6.12.*unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References