CVE-2026-31578

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: as102: fix to not free memory after the device is registered in as102_usb_probe()<br /> <br /> In as102_usb driver, the following race condition occurs:<br /> ```<br /> CPU0 CPU1<br /> as102_usb_probe()<br /> kzalloc(); // alloc as102_dev_t<br /> ....<br /> usb_register_dev();<br /> fd = sys_open("/path/to/dev"); // open as102 fd<br /> ....<br /> usb_deregister_dev();<br /> ....<br /> kfree(); // free as102_dev_t<br /> ....<br /> sys_close(fd);<br /> as102_release() // UAF!!<br /> as102_usb_release()<br /> kfree(); // DFB!!<br /> ```<br /> <br /> When a USB character device registered with usb_register_dev() is later<br /> unregistered (via usb_deregister_dev() or disconnect), the device node is<br /> removed so new open() calls fail. However, file descriptors that are<br /> already open do not go away immediately: they remain valid until the last<br /> reference is dropped and the driver&amp;#39;s .release() is invoked.<br /> <br /> In as102, as102_usb_probe() calls usb_register_dev() and then, on an<br /> error path, does usb_deregister_dev() and frees as102_dev_t right away.<br /> If userspace raced a successful open() before the deregistration, that<br /> open FD will later hit as102_release() --&gt; as102_usb_release() and access<br /> or free as102_dev_t again, occur a race to use-after-free and<br /> double-free vuln.<br /> <br /> The fix is to never kfree(as102_dev_t) directly once usb_register_dev()<br /> has succeeded. After deregistration, defer freeing memory to .release().<br /> <br /> In other words, let release() perform the last kfree when the final open<br /> FD is closed.