CVE-2026-31730
Double-Free in Linux Kernel FastRPC
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability in the Linux kernel involves a possible double-free of the cctx->remote_heap pointer in the fastrpc component. A double-free can lead to undefined behavior such as memory corruption, crashes, or potential exploitation by attackers to execute arbitrary code or cause denial of service.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's fastrpc component, where a double-free error can occur with the cctx->remote_heap pointer.
Specifically, the function fastrpc_init_create_static_process() may free the cctx->remote_heap pointer on an error path but does not clear the pointer afterward. Later, when fastrpc_rpmsg_remove() is called, it checks if cctx->remote_heap is non-NULL and frees it again, causing a double-free.
This double-free can happen if the INIT_CREATE_STATIC ioctl triggers the error path and the rpmsg device is later removed or unbound.
The fix involves clearing the cctx->remote_heap pointer after freeing it in the error path to prevent the second free.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability involves a double-free issue in the Linux kernel's fastrpc component related to the cctx->remote_heap pointer.
To mitigate this vulnerability, you should update your Linux kernel to a version where this issue has been fixed. The fix involves clearing the cctx->remote_heap pointer after freeing it in the error path to prevent a double-free during later cleanup.