High

Use-after-free in Linux kernel KVM x86 emulated MMIO write handling

IdentifiersCVE-2026-31588CWE-416· Use After Free

CVE-2026-31588 is a use-after-free vulnerability in the Linux kernel's KVM x86 subsystem during emulated MMIO write handling. The flaw occurs when KVM exits to userspace to service an emulated MMIO write and retains a pointer to the original source value instead of copying the value for small writes. Under the vulnerable conditions, the emulator initiates a write using an on-stack local variable as the source, the write crosses a page boundary, and both pages are MMIO pages. Because KVM's ABI supports only physically contiguous MMIO requests, such an access is split into two fragments and delivered to userspace one fragment at a time. When KVM later completes the first userspace MMIO operation and detects the second fragment, it can generate a second userspace exit that still references the original on-stack variable, resulting in a stale pointer dereference in complete_emulated_mmio(). The fix changes KVM x86 to copy write values of 8 bytes or less into a scratch field in the MMIO fragment instead of pointing directly to the original source value, and adds sanity checks around the assumptions that larger accesses and reads are not affected by current emulator behavior.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can trigger a kernel use-after-free in the KVM x86 path, leading to invalid memory access, kernel memory corruption, and guest-triggerable host instability. The documented manifestation includes a KASAN-detected use-after-free read in complete_emulated_mmio(), and the issue may cause kernel crashes or denial of service. Because the stale reference can point to freed or repurposed stack memory, there is also potential for broader integrity and confidentiality impact within the host kernel context, depending on exploitability and surrounding conditions.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting untrusted access to KVM virtualization on affected hosts, restricting who can create or run VMs, and avoiding scenarios where untrusted guests can exercise emulated MMIO paths. Because the flaw is in host kernel KVM handling, there is no reliable configuration-only mitigation described in the provided content that fully eliminates the issue short of applying a fixed kernel or disabling affected KVM usage.

Remediation

Patch, then assume compromise.

Update to a Linux kernel release that includes the upstream fix for CVE-2026-31588, specifically the KVM x86 change to use a scratch field in MMIO fragments for small write values. Vendor backports are available in multiple SUSE kernel advisories and corresponding fixed kernel package versions; deploy the distribution-provided patched kernel for the affected product line and reboot into the updated kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

bugzilla suseNews

Jun 18, 2026

1263165 - (CVE-2026-31588) VUL-0: CVE-2026-31588: kernel: KVM: x86: Use scratch field in MMIO fragment to hold small write values

A Linux kernel KVM x86 use-after-free vulnerability in emulated MMIO write handling, caused by referencing an on-stack source value across split MMIO fragments and subsequent userspace exits.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-31588

NVD

nvd.nist.gov/vuln/detail/CVE-2026-31588

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/0b16e69d17d8c35c5c9d5918bf596c75a44655d3

Patch

git.kernel.org/stable/c/22d2ff69d487a32a8b88f9c970120fc2daa08a77

Patch

git.kernel.org/stable/c/2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e

Patch

git.kernel.org/stable/c/3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe

Patch

git.kernel.org/stable/c/b5a02d37eb0739f462fa12df449ab9b3480c783b

Patch

git.kernel.org/stable/c/dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7

git.kernel.org

git.kernel.org/stable/c/019d0bd32b9a4646ba35d904907452039e2db700

git.kernel.org

git.kernel.org/stable/c/4569c66dd9e94a22cd0796b6514a8b25ffff16a1

git.kernel.org

git.kernel.org/stable/c/52570e73d48f1c73836d37e594667117b4c2a5a8