CVE-2026-31688
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel Driver Core Due to Missing Lock

Publication date: 2026-04-27

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a scoped guard. Replace the unlocked calls in bind_store() and __driver_attach() with this new helper. Also add a lock assertion to driver_match_device() to enforce this guarantee. This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field. Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31688
EUVD
EUVD-2026-25885
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 2.6.30 (inc) to 7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves inconsistent locking in the driver_match_device() function. Specifically, driver_match_device() is called from three different places, but only one of them holds the necessary device_lock. The other two calls do not hold this lock, which means that bus match() callbacks may be executed without proper locking.

This inconsistency can lead to a race condition, particularly affecting the driver_override implementation that relies on the device_lock. Without the lock, a use-after-free (UAF) condition can occur, potentially causing instability or security issues.

The fix introduced a new function, driver_match_device_locked(), which ensures the device lock is held during calls. The two previously unlocked calls were replaced with this new locked helper, and a lock assertion was added to enforce the locking guarantee.

Impact Analysis

This vulnerability can lead to a use-after-free (UAF) condition in the Linux kernel's driver handling code. Such a condition can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if they can exploit the race condition.

Because the issue involves improper locking, it can result in unpredictable behavior in device driver matching and attachment, which may affect the reliability and security of the system.

Mitigation Strategies

The vulnerability is fixed by enforcing the device_lock for driver_match_device() in the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

This fix introduces driver_match_device_locked() to ensure the device lock is held properly, preventing the use-after-free condition. Applying the updated kernel will address the race condition and locking issues described.

Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart