CVE-2026-31749
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel COMEDI Subsystem

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: comedi: ni_atmio16d: Fix invalid clean-up after failed attach If the driver's COMEDI "attach" handler function (`atmio16d_attach()`) returns an error, the COMEDI core will call the driver's "detach" handler function (`atmio16d_detach()`) to clean up. This calls `reset_atmio16d()` unconditionally, but depending on where the error occurred in the attach handler, the device may not have been sufficiently initialized to call `reset_atmio16d()`. It uses `dev->iobase` as the I/O port base address and `dev->private` as the pointer to the COMEDI device's private data structure. `dev->iobase` may still be set to its initial value of 0, which would result in undesired writes to low I/O port addresses. `dev->private` may still be `NULL`, which would result in null pointer dereferences. Fix `atmio16d_detach()` by checking that `dev->private` is valid (non-null) before calling `reset_atmio16d()`. This implies that `dev->iobase` was set correctly since that is set up before `dev->private`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31749
EUVD
EUVD-2026-26562
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comedi ni_atmio16d *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's comedi driver for the ni_atmio16d device. When the driver's attach handler function (`atmio16d_attach()`) fails and returns an error, the COMEDI core calls the detach handler (`atmio16d_detach()`) to clean up. However, the detach handler calls `reset_atmio16d()` unconditionally without verifying if the device was properly initialized.

Because the device may not have been fully initialized, critical fields like `dev->iobase` (I/O port base address) might still be zero, and `dev->private` (pointer to private data) might be NULL. This can lead to undesired writes to low I/O port addresses or null pointer dereferences during cleanup.

The fix involves modifying `atmio16d_detach()` to check that `dev->private` is valid (non-null) before calling `reset_atmio16d()`, ensuring that the device was properly initialized before cleanup.


How can this vulnerability impact me? :

This vulnerability can cause the driver to perform invalid operations during cleanup after a failed device attach. Specifically, it may write to unintended low I/O port addresses or dereference null pointers.

Such behavior can lead to system instability, crashes, or unpredictable behavior in the Linux kernel, potentially affecting system reliability and availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the cleanup process in the ni_atmio16d driver of the Linux kernel COMEDI subsystem.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this issue, which ensures that the detach handler checks the validity of the device's private data before calling reset functions.

Avoid using vulnerable versions of the ni_atmio16d driver until the patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart