CVE-2026-31689

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> EDAC/mc: Fix error path ordering in edac_mc_alloc()<br /> <br /> When the mci-&gt;pvt_info allocation in edac_mc_alloc() fails, the error path<br /> will call put_device() which will end up calling the device&amp;#39;s release<br /> function.<br /> <br /> However, the init ordering is wrong such that device_initialize() happens<br /> *after* the failed allocation and thus the device itself and the release<br /> function pointer are not initialized yet when they&amp;#39;re called:<br /> <br /> MCE: In-kernel MCE decoding enabled.<br /> ------------[ cut here ]------------<br /> kobject: &amp;#39;(null)&amp;#39;: is not initialized, yet kobject_put() is being called.<br /> WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd<br /> CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)<br /> RIP: 0010:kobject_put<br /> Call Trace:<br /> <br /> edac_mc_alloc+0xbe/0xe0 [edac_core]<br /> amd64_edac_init+0x7a4/0xff0 [amd64_edac]<br /> ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]<br /> do_one_initcall<br /> ...<br /> <br /> Reorder the calling sequence so that the device is initialized and thus the<br /> release function pointer is properly set before it can be used.<br /> <br /> This was found by Claude while reviewing another EDAC patch.