Vulnerabilities ›

CVE-2026-31541

High

CWE-416 — Weakness Type

                    Published: Apr 24, 2026                      ·  Modified: May 1, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copy_trace_marker" option is enabled for an instance, anything
written into /sys/kernel/tracing/trace_marker is also copied into that
instances buffer. When the option is set, that instance's trace_array
descriptor is added to the marker_copies link list. This list is protected
by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared.
This also clears the copy_trace_marker flag and removes the trace_array
descriptor from the list.

The issue is after the flags are called, a direct call to
update_marker_trace() is performed to clear the flag. This function
returns true if the state of the flag changed and false otherwise. If it
returns true here, synchronize_rcu() is called to make sure all readers
see that its removed from the list.

But since the flag was already cleared, the state does not change and the
synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copy_trace_marker
option which then makes sure the synchronization is performed.

Also use the flag for checking the state in update_marker_trace() instead
of looking at if the list is empty.

🤖 AI Executive Summary

A use-after-free (UAF) vulnerability exists in the Linux kernel's trace_marker functionality when the copy_trace_marker option is disabled. The vulnerability occurs due to improper RCU synchronization during instance deletion, where the synchronize_rcu() call is skipped when clearing the copy_trace_marker flag. This could allow local attackers to trigger memory corruption or denial of service on affected systems.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 15:07

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations running Linux-based infrastructure, particularly: (1) Government agencies and NCA systems using Linux servers for critical operations; (2) ARAMCO and energy sector facilities relying on Linux-based SCADA and industrial control systems; (3) Banking and SAMA-regulated financial institutions using Linux for backend services; (4) Telecom operators (STC, Mobily, Zain) operating Linux-based network infrastructure; (5) Healthcare providers using Linux servers for patient data management. The local privilege escalation potential makes this particularly dangerous in multi-tenant cloud environments and shared hosting scenarios common in Saudi Arabia.

🏢 Affected Saudi Sectors

Government Banking and Financial Services Energy and Utilities Telecommunications Healthcare Cloud Service Providers Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1543 - Create or Modify System Process T1036 - Masquerading T1070 - Indicator Removal

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Linux systems running affected kernel versions (7.0-rc1 through 7.0-rc4 and earlier versions with the vulnerability)

2. Disable trace_marker functionality if not actively used: echo 0 > /proc/sys/kernel/trace_marker_enabled

3. Restrict access to /sys/kernel/tracing/trace_marker to authorized users only: chmod 600 /sys/kernel/tracing/trace_marker

Patching Guidance:

1. Apply the latest stable kernel patch that includes the fix for trace_marker RCU synchronization

2. Test patches in non-production environments first, particularly for SCADA/industrial systems

3. Schedule maintenance windows for kernel updates on critical infrastructure

4. Verify patch application: grep -i 'trace_marker' /proc/version

Compensating Controls (if immediate patching not possible):

1. Implement kernel module loading restrictions: echo 1 > /proc/sys/kernel/modules_disabled

2. Enable SELinux/AppArmor with strict tracing policies

3. Monitor /sys/kernel/tracing/ directory for unauthorized access

4. Implement kernel audit rules: auditctl -w /sys/kernel/tracing/ -p wa -k trace_marker_access

Detection Rules:

1. Monitor for kernel oops/panic messages related to trace_marker

2. Alert on UAF detection: dmesg | grep -i 'use-after-free\|UAF\|trace_marker'

3. Track process access to /sys/kernel/tracing/trace_marker: auditctl -a always,exit -F dir=/sys/kernel/tracing/ -F perm=w -k trace_access

4. Monitor for unexpected kernel memory corruption patterns in system logs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أنظمة لينكس التي تعمل بإصدارات النواة المتأثرة (7.0-rc1 إلى 7.0-rc4 والإصدارات السابقة)

2. تعطيل وظيفة trace_marker إذا لم تكن قيد الاستخدام النشط: echo 0 > /proc/sys/kernel/trace_marker_enabled

3. تقييد الوصول إلى /sys/kernel/tracing/trace_marker للمستخدمين المصرح لهم فقط: chmod 600 /sys/kernel/tracing/trace_marker

إرشادات التصحيح:

1. تطبيق أحدث تصحيح نواة مستقرة يتضمن إصلاح مزامنة RCU لـ trace_marker

2. اختبار التصحيحات في بيئات غير الإنتاج أولاً، خاصة لأنظمة SCADA

3. جدولة نوافذ الصيانة لتحديثات النواة على البنية التحتية الحرجة

4. التحقق من تطبيق التصحيح: grep -i 'trace_marker' /proc/version

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تنفيذ قيود تحميل وحدات النواة: echo 1 > /proc/sys/kernel/modules_disabled

2. تفعيل SELinux/AppArmor مع سياسات تتبع صارمة

3. مراقبة دليل /sys/kernel/tracing/ للوصول غير المصرح به

4. تنفيذ قواعد تدقيق النواة: auditctl -w /sys/kernel/tracing/ -p wa -k trace_marker_access

قواعد الكشف:

1. مراقبة رسائل kernel oops/panic المتعلقة بـ trace_marker

2. التنبيه على كشف UAF: dmesg | grep -i 'use-after-free\|UAF\|trace_marker'

3. تتبع وصول العملية إلى /sys/kernel/tracing/trace_marker

4. مراقبة أنماط تلف ذاكرة النواة غير المتوقعة في سجلات النظام

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.12.1.2 - Monitoring of system use

🔵 SAMA CSF

SAMA CSF ID.RA-1 - Asset management and vulnerability identification SAMA CSF PR.IP-12 - System and information integrity SAMA CSF DE.CM-1 - Detection and analysis of anomalies

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Change management ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development policy

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning

🔗 References & Sources 3

🔗

https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 6 entries

linux:linux_kernel

linux:linux_kernel:7.0

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-416

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-04-24

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-416

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-31541

💬 Comments

Introduce Yourself

Sign In Required