Memory Safety Vulnerability in Linux Kernel Affecting Socket Data Management
CVE-2026-31507

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-31507?

A vulnerability in the Linux kernel has been identified where improper handling of socket memory management leads to a double-free condition. The issue arises when the tee() system call duplicates a splice pipe buffer, allowing both the original and cloned pipe buffers to reference the same smc_spd_priv object. This mismanagement results in a potential kernel panic due to a NULL pointer dereference when both pipe buffers are released. Additionally, the current implementation can corrupt receive-window accounting, as the system erroneously advances the consumer cursor twice for the same data. A refcount mechanism must be employed to resolve the double-free issue, while separate attention is needed for addressing the cursor-accounting concern.

Affected Version(s)

Linux 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f < 7e8916f46c2f48607f907fd401590093753a6bc5

Linux 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f

Linux 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f < 98ba5cb274768146e25ffbfde47753652c1c20d3

References

https://git.kernel.org/stable/c/7e8916f46c2f48607f907fd40...

https://git.kernel.org/stable/c/ae5575e660410c8d2c5d38fb2...

https://git.kernel.org/stable/c/98ba5cb274768146e25ffbfde...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31507 Data

JSON