CVE-2026-31730

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> misc: fastrpc: possible double-free of cctx-&gt;remote_heap<br /> <br /> fastrpc_init_create_static_process() may free cctx-&gt;remote_heap on the<br /> err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()<br /> frees cctx-&gt;remote_heap again if it is non-NULL, which can lead to a<br /> double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg<br /> device is subsequently removed/unbound.<br /> Clear cctx-&gt;remote_heap after freeing it in the error path to prevent the<br /> later cleanup from freeing it again.<br /> <br /> This issue was found by an in-house analysis workflow that extracts AST-based<br /> information and runs static checks, with LLM assistance for triage, and was<br /> confirmed by manual code review.<br /> No hardware testing was performed.