{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8"
            },
            {
              "fixed": "447f8870b484f6596d7a7130e72bd0a3f1e037bb"
            },
            {
              "fixed": "16c92e9bf55fa049ddb5e894dc0623dacd46a620"
            },
            {
              "fixed": "4c04c6b47c361612b1d70cec8f7a60b1482d1400"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.17.0"
            },
            {
              "fixed": "6.18.23"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31652.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/stat: deallocate damon_call() failure leaking damon_ctx\n\ndamon_stat_start() always allocates the module's damon_ctx object\n(damon_stat_context).  Meanwhile, if damon_call() in the function fails,\nthe damon_ctx object is not deallocated.  Hence, if the damon_call() is\nfailed, and the user writes Y to “enabled” again, the previously\nallocated damon_ctx object is leaked.\n\nThis cannot simply be fixed by deallocating the damon_ctx object when\ndamon_call() fails.  That's because damon_call() failure doesn't guarantee\nthe kdamond main function, which accesses the damon_ctx object, is\ncompletely finished.  In other words, if damon_stat_start() deallocates\nthe damon_ctx object after damon_call() failure, the not-yet-terminated\nkdamond could access the freed memory (use-after-free).\n\nFix the leak while avoiding the use-after-free by keeping returning\ndamon_stat_start() without deallocating the damon_ctx object after\ndamon_call() failure, but deallocating it when the function is invoked\nagain and the kdamond is completely terminated.  If the kdamond is not yet\nterminated, simply return -EAGAIN, as the kdamond will soon be terminated.\n\nThe issue was discovered [1] by sashiko.",
  "id": "CVE-2026-31652",
  "modified": "2026-07-08T05:37:14.957815481Z",
  "published": "2026-04-24T14:45:04.930Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31652.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31652"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "mm/damon/stat: deallocate damon_call() failure leaking damon_ctx"
}