APPLIED[HWE-6.17]/Cmnt: [SRU][Q][PATCH 0/1] CVE-2026-31589
Stefan Bader
stefan.bader at canonical.com
Tue Jul 14 13:36:23 UTC 2026
On 23/06/2026 05:43, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-31589
>
> [ Impact ]
>
> In folio_unmap_invalidate(), filemap_free_folio() could be called after the
> folio had already been removed from the mapping, at a point where the code no
> longer held a reference to or a lock on the mapping. Since the folio no longer
> pinned the mapping, the mapping could be freed concurrently, leading to a use-
> after-free when accessing mapping->a_ops. With a CVSS score of 9.8, this is
> remotely exploitable and can lead to memory corruption or privilege escalation.
>
> [ Fix ]
>
> questing: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this memory management change could affect folio invalidation
> and the page cache writeback path, potentially causing incorrect free_folio()
> callback handling or leaks. Any error here would manifest in core mm behavior
> and could impact filesystem and I/O stability across the system.
>
Applied to noble:linux-hwe-6.17/hwe-6.17-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/a93f4d43/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/a93f4d43/attachment-0001.sig>
More information about the kernel-team
mailing list