{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31648", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.128Z", "datePublished": "2026-04-24T14:45:01.728Z", "dateUpdated": "2026-04-24T14:45:01.728Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-24T14:45:01.728Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page\u2019s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio\u2019s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode->i_size\n next_uptodate_folio()\n\n .......\n //shrink the inode->i_size\n i_size_write(inode, attr->ia_size);\n\n //calculate the end_pgoff with the new inode->i_size\n file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/filemap.c"], "versions": [{"version": "fe601b70eac6cd266e8d7d55030e90a73ed0e339", "lessThan": "88591194df736a508dd5461ab2167a61e98caac1", "status": "affected", "versionType": "git"}, {"version": "743a2753a02e805347969f6f89f38b736850d808", "lessThan": "633ab680c405ac390e6bec5b74aaf46197c837b6", "status": "affected", "versionType": "git"}, {"version": "743a2753a02e805347969f6f89f38b736850d808", "lessThan": "576543bedd616254032d4ebe54a90076f9e31740", "status": "affected", "versionType": "git"}, {"version": "743a2753a02e805347969f6f89f38b736850d808", "lessThan": "9316a820b9aae07d44469d6485376dad824c5b3f", "status": "affected", "versionType": "git"}, {"version": "743a2753a02e805347969f6f89f38b736850d808", "lessThan": "f58df566524ebcdfa394329c64f47e3c9257516e", "status": "affected", "versionType": "git"}, {"version": "84ede15f27c06b111d1398dfa80b6fac4b135e34", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/filemap.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.117", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.159"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1"}, {"url": "https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6"}, {"url": "https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740"}, {"url": "https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f"}, {"url": "https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e"}], "title": "mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page\u2019s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio\u2019s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode->i_size\n next_uptodate_folio()\n\n .......\n //shrink the inode->i_size\n i_size_write(inode, attr->ia_size);\n\n //calculate the end_pgoff with the new inode->i_size\n file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---"}], "id": "CVE-2026-31648", "lastModified": "2026-04-24T17:51:40.810", "metrics": {}, "published": "2026-04-24T15:16:44.193", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()", "id": "2461541", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461541"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in the Linux kernel. A race condition in the `filemap_map_pages()` function can lead to an integer overflow during the calculation of `nr_pages`. This overflow causes the system to map memory beyond the intended boundaries of a memory block, potentially corrupting critical page metadata. An attacker with local access could exploit this to cause system instability or a denial of service."], "name": "CVE-2026-31648", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31648\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31648\nhttps://lore.kernel.org/linux-cve-announce/2026042459-CVE-2026-31648-f2de@gregkh/T"], "threat_severity": "Moderate"}

{}