Detections
Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-31648

high Nessus Plugin ID 310508

Synopsis

The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be patched.

Description

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

 - mm: filemap: fix nr_pages calculation overflow in filemap_map_pages() When running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I encountered some very strange crash issues showing up as Bad page state:
 [ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb [ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb [ 734.496434] flags:
 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff) [ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000 [ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000 [ 734.496442] page dumped because: nonzero mapcount After analyzing this page's state, it is hard to understand why the mapcount is not 0 while the refcount is 0, since this page is not where the issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can reproduce the crash as well and captured the first warning where the issue appears: [ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0 [ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 734.469315] memcg:ffff000807a8ec00 [ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):stress-ng-mmaptorture-9397-0-2736200540 [ 734.469335] flags:
 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff) ...... [ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio
 *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) [ 734.469390] ------------[ cut here ]------------ [ 734.469393] WARNING:
 ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468, CPU#90: stress-ng-mlock/9430 [ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P) [ 734.469555] set_pte_range+0xd8/0x2f8 [ 734.469566] filemap_map_folio_range+0x190/0x400 [ 734.469579] filemap_map_pages+0x348/0x638 [ 734.469583] do_fault_around+0x140/0x198 ...... [ 734.469640] el0t_64_sync+0x184/0x188 The code that triggers the warning is: VM_WARN_ON_FOLIO(page_folio(page + nr_pages - 1) != folio, folio), which indicates that set_pte_range() tried to map beyond the large folio's size. By adding more debug information, I found that 'nr_pages' had overflowed in filemap_map_pages(), causing set_pte_range() to establish mappings for a range exceeding the folio size, potentially corrupting fields of pages that do not belong to this folio (e.g., page->_mapcount). After above analysis, I think the possible race is as follows: CPU 0 CPU 1 filemap_map_pages() ext4_setattr() //get and lock folio with old inode->i_size next_uptodate_folio() ....... //shrink the inode->i_size i_size_write(inode, attr->ia_size); //calculate the end_pgoff with the new inode->i_size file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1; end_pgoff = min(end_pgoff, file_end); ...... //nr_pages can be overflowed, cause xas.xa_index > end_pgoff end = folio_next_index(folio) - 1; nr_pages = min(end, end_pgoff) - xas.xa_index + 1; ...... //map large folio filemap_map_folio_range() ...... //truncate folios truncate_pagecache(inode, inode->i_size); To fix this issue, move the 'end_pgoff' calculation before next_uptodate_folio(), so the retrieved folio stays consistent with the file end to avoid ---truncated--- (CVE-2026-31648)

Note that Nessus relies on the presence of the package as reported by the vendor.

Solution

There is no known solution at this time.

See Also

https://access.redhat.com/security/cve/cve-2026-31648

https://security-tracker.debian.org/tracker/CVE-2026-31648

Plugin Details

Severity: High

ID: 310508

File Name: unpatched_CVE_2026_31648.nasl

Version: 1.2

Type: Local

Agent: unix

Family: Misc.

Published: 4/27/2026

Updated: 4/28/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4

Vector: CVSS2#AV:L/AC:M/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-31648

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:U/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:kernel-64k-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules, p-cpe:/a:redhat:enterprise_linux:kernel-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug, p-cpe:/a:redhat:enterprise_linux:kernel-64k-modules-core, p-cpe:/a:redhat:enterprise_linux:rv, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-uki-virt, cpe:/o:debian:debian_linux:13.0, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-core, p-cpe:/a:redhat:enterprise_linux:libperf, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules, p-cpe:/a:redhat:enterprise_linux:python3-perf, p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel-matched, p-cpe:/a:redhat:enterprise_linux:rtla, p-cpe:/a:redhat:enterprise_linux:kernel-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt, p-cpe:/a:redhat:enterprise_linux:kernel-64k-modules, p-cpe:/a:redhat:enterprise_linux:kernel-modules-extra-matched, cpe:/o:debian:debian_linux:12.0, p-cpe:/a:redhat:enterprise_linux:kernel-debug-uki-virt, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k, p-cpe:/a:redhat:enterprise_linux:kernel-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-modules, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules, p-cpe:/a:redhat:enterprise_linux:kernel-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-debug, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-rt-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-doc, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-devel, p-cpe:/a:redhat:enterprise_linux:kernel-64k-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-modules, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules, p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug, p-cpe:/a:redhat:enterprise_linux:kernel, p-cpe:/a:redhat:enterprise_linux:kernel-64k-devel, cpe:/o:redhat:enterprise_linux:10, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-modules, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-modules, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-core, p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel, p-cpe:/a:redhat:enterprise_linux:kernel-core, p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs, p-cpe:/a:redhat:enterprise_linux:perf, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-abi-stablelists, p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm, p-cpe:/a:redhat:enterprise_linux:kernel-tools, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-core, p-cpe:/a:redhat:enterprise_linux:kernel-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel, p-cpe:/a:redhat:enterprise_linux:kernel-uki-virt-addons, p-cpe:/a:debian:debian_linux:linux, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-core

Required KB Items: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/24/2026

Reference Information

CVE: CVE-2026-31648