CVE-2026-31689
Use-After-Free in Linux EDAC Device Initialization Causes Kernel Warning
Publication date: 2026-04-27
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.23 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.13 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.135 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.82 (exc) |
| linux | linux_kernel | From 5.19 (inc) to 6.1.169 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's EDAC (Error Detection and Correction) subsystem, specifically in the edac_mc_alloc() function. When the allocation of mci->pvt_info fails, the error handling path calls put_device(), which in turn calls the device's release function. However, due to incorrect initialization ordering, device_initialize() is called after the failed allocation, meaning the device and its release function pointer are not properly initialized when they are called. This leads to a situation where kobject_put() is called on an uninitialized kobject, causing warnings and potential instability.
The fix involves reordering the calling sequence so that the device is initialized before the release function pointer is used, preventing the improper call to an uninitialized release function.
How can this vulnerability impact me? :
This vulnerability can cause kernel warnings and potentially lead to system instability or crashes due to improper handling of device release functions when allocation fails. It may affect the reliability of the system, especially in scenarios where the EDAC subsystem is active and memory controller error handling is critical.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as an error in the Linux kernel related to the EDAC/mc subsystem, specifically involving incorrect error path ordering in edac_mc_alloc().
Detection can be done by monitoring kernel logs for specific warning messages indicating uninitialized kobject usage, such as:
- Look for kernel log entries containing: "kobject: '(null)': is not initialized, yet kobject_put() is being called."
- Use the command: dmesg | grep -i 'kobject_put' or dmesg | grep -i 'edac_mc_alloc' to find related error messages.
- Check system logs (e.g., /var/log/kern.log or journalctl -k) for warnings related to EDAC or device initialization failures.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by reordering the device initialization sequence in the Linux kernel source code so that device_initialize() is called before the error path that calls put_device().
Immediate mitigation steps include:
- Update the Linux kernel to a version that includes the fix for this issue.
- If updating is not immediately possible, monitor kernel logs for the described error messages to detect if the issue occurs.
- Avoid running untrusted code or workloads that might trigger this error path until the kernel is patched.