CVE-2026-31688
Use-After-Free in Linux Kernel Driver Core Due to Missing Lock
Publication date: 2026-04-27
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 2.6.30 (inc) to 7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel involves inconsistent locking in the driver_match_device() function. Specifically, driver_match_device() is called from three different places, but only one of them holds the necessary device_lock. The other two calls do not hold this lock, which means that bus match() callbacks may be executed without proper locking.
This inconsistency can lead to a race condition, particularly affecting the driver_override implementation that relies on the device_lock. Without the lock, a use-after-free (UAF) condition can occur, potentially causing instability or security issues.
The fix introduced a new function, driver_match_device_locked(), which ensures the device lock is held during calls. The two previously unlocked calls were replaced with this new locked helper, and a lock assertion was added to enforce the locking guarantee.
How can this vulnerability impact me? :
This vulnerability can lead to a use-after-free (UAF) condition in the Linux kernel's driver handling code. Such a condition can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if they can exploit the race condition.
Because the issue involves improper locking, it can result in unpredictable behavior in device driver matching and attachment, which may affect the reliability and security of the system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by enforcing the device_lock for driver_match_device() in the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.
This fix introduces driver_match_device_locked() to ensure the device lock is held properly, preventing the use-after-free condition. Applying the updated kernel will address the race condition and locking issues described.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.