From 27c4c284f140b3311cfb24a1ca4cbb1b1cad8e2c Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 1 May 2026 15:13:45 +0100
Subject: [PATCH 1/2] Analysis for CVE-2025-40274.yml

---
 vulns/CVE-2025-40274.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 vulns/CVE-2025-40274.yml

diff --git a/vulns/CVE-2025-40274.yml b/vulns/CVE-2025-40274.yml
new file mode 100644
index 0000000..d21941c
--- /dev/null
+++ b/vulns/CVE-2025-40274.yml
@@ -0,0 +1,11 @@
+reachability: Local
+memory_corruption: true
+bug_class: UaF
+impact: LPE
+privileges_required: false
+notes: |2-
+   Use after free in the KVM guest_memfd unbind path leading to kernel memory
+  corruption and eventually LPE. Reachable from unprivileged user inside guest
+  KVM
+author: Oracle Corporation
+version: v0.1

From 996b506655e82407468904a3cc802cfd2c17c052 Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 1 May 2026 15:13:45 +0100
Subject: [PATCH 2/2] Analysis for CVE-2026-31431.yml

---
 vulns/CVE-2026-31431.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 vulns/CVE-2026-31431.yml

diff --git a/vulns/CVE-2026-31431.yml b/vulns/CVE-2026-31431.yml
new file mode 100644
index 0000000..d8d6e65
--- /dev/null
+++ b/vulns/CVE-2026-31431.yml
@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: OOB write
+impact: LPE
+privileges_required: false
+notes: |2-
+   Exploitable via AF_ALG recvmsg without capabilities - direct from userland
+  syscalls.
+author: Oracle Corporation
+version: v0.1