Linux Kernel up to 6.18.19/6.19.9 trace_marker update_marker_trace use after free

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $5k-$25k | 0.00 |
Summary
A vulnerability has been found in Linux Kernel up to 6.18.19/6.19.9 and classified as critical. The impacted element is the function update_marker_trace of the file /sys/kernel/tracing/trace_marker. Performing a manipulation results in use after free.
This vulnerability is known as CVE-2026-31541. No exploit is available.
The affected component should be upgraded.
Details
A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.18.19/6.19.9. This affects the function update_marker_trace of the file /sys/kernel/tracing/trace_marker. The manipulation with an unknown input leads to a use after free vulnerability. CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.
It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2026-31541 since 03/09/2026. The exploitability is told to be easy. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 07/14/2026).
Upgrading to version 6.18.20 or 6.19.10 eliminates this vulnerability. Applying the patch 75668e58244e63ec3785098a02e1cdcff14a6c2e/cc267e4b4302247dc67ef937a9ac587a696a43c1/07183aac4a6828e474f00b37c9d795d0d99e18a7 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2026-1279). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Affected
- Google Container-Optimized OS
- Debian Linux
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- RESF Rocky Linux
- Open Source Linux Kernel
- Siemens SIMATIC S7
Product
Type
Vendor
Name
Version
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
- 6.18.4
- 6.18.5
- 6.18.6
- 6.18.7
- 6.18.8
- 6.18.9
- 6.18.10
- 6.18.11
- 6.18.12
- 6.18.13
- 6.18.14
- 6.18.15
- 6.18.16
- 6.18.17
- 6.18.18
- 6.18.19
- 6.19.0
- 6.19.1
- 6.19.2
- 6.19.3
- 6.19.4
- 6.19.5
- 6.19.6
- 6.19.7
- 6.19.8
- 6.19.9
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.6
VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Use after freeCWE: CWE-416 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.18.20/6.19.10
Patch: 75668e58244e63ec3785098a02e1cdcff14a6c2e/cc267e4b4302247dc67ef937a9ac587a696a43c1/07183aac4a6828e474f00b37c9d795d0d99e18a7
Timeline
03/09/2026 CVE reserved04/24/2026 Advisory disclosed
04/24/2026 VulDB entry created
07/14/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-31541 (🔒)
GCVE (CVE): GCVE-0-2026-31541
GCVE (VulDB): GCVE-100-359355
CERT Bund: WID-SEC-2026-1279 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 04/24/2026 17:34Updated: 07/14/2026 12:35
Changes: 04/24/2026 17:34 (59), 05/25/2026 17:22 (7), 06/11/2026 08:24 (1), 07/14/2026 12:35 (1)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.