CVE-2026-31541

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix trace_marker copy link list updates When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal. When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list. The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list. But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug. Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed. Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

References

• https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7
• https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e
• https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1
• https://www.suse.com/security/cve/CVE-2026-31541.html
• https://security-tracker.debian.org/tracker/CVE-2026-31541

CWEs

CWE-416