Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-31578

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
24/04/2026
Last modified:
27/04/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: as102: fix to not free memory after the device is registered in as102_usb_probe()<br /> <br /> In as102_usb driver, the following race condition occurs:<br /> ```<br /> CPU0 CPU1<br /> as102_usb_probe()<br /> kzalloc(); // alloc as102_dev_t<br /> ....<br /> usb_register_dev();<br /> fd = sys_open("/path/to/dev"); // open as102 fd<br /> ....<br /> usb_deregister_dev();<br /> ....<br /> kfree(); // free as102_dev_t<br /> ....<br /> sys_close(fd);<br /> as102_release() // UAF!!<br /> as102_usb_release()<br /> kfree(); // DFB!!<br /> ```<br /> <br /> When a USB character device registered with usb_register_dev() is later<br /> unregistered (via usb_deregister_dev() or disconnect), the device node is<br /> removed so new open() calls fail. However, file descriptors that are<br /> already open do not go away immediately: they remain valid until the last<br /> reference is dropped and the driver&amp;#39;s .release() is invoked.<br /> <br /> In as102, as102_usb_probe() calls usb_register_dev() and then, on an<br /> error path, does usb_deregister_dev() and frees as102_dev_t right away.<br /> If userspace raced a successful open() before the deregistration, that<br /> open FD will later hit as102_release() --&gt; as102_usb_release() and access<br /> or free as102_dev_t again, occur a race to use-after-free and<br /> double-free vuln.<br /> <br /> The fix is to never kfree(as102_dev_t) directly once usb_register_dev()<br /> has succeeded. After deregistration, defer freeing memory to .release().<br /> <br /> In other words, let release() perform the last kfree when the final open<br /> FD is closed.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.136 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.83 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.24 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 7.0 (including) 7.0.1 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools