CVE-2026-31753
Awaiting Analysis Awaiting Analysis - Queue
NULL Dereference in Linux Kernel Auxdisplay Line-Display

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: auxdisplay: line-display: fix NULL dereference in linedisp_release linedisp_release() currently retrieves the enclosing struct linedisp via to_linedisp(). That lookup depends on the attachment list, but the attachment may already have been removed before put_device() invokes the release callback. This can happen in linedisp_unregister(), and can also be reached from some linedisp_register() error paths. In that case, to_linedisp() returns NULL and linedisp_release() dereferences it while freeing the display resources. The struct device released here is the embedded linedisp->dev used by linedisp_register(), so retrieve the enclosing object directly with container_of() instead.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31753
EUVD
EUVD-2026-26566
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's auxdisplay line-display component. Specifically, the function linedisp_release() attempts to retrieve a structure called linedisp using a helper function to_linedisp(). However, this retrieval depends on an attachment list that may have already been removed before linedisp_release() is called. When the attachment is missing, to_linedisp() returns NULL, and linedisp_release() then dereferences this NULL pointer while trying to free display resources, leading to a NULL pointer dereference.

The issue occurs because linedisp_release() relies on an attachment list that might no longer exist due to prior removal during linedisp_unregister() or certain error paths in linedisp_register(). The fix involves retrieving the enclosing object directly using container_of() instead of relying on the attachment list.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which typically results in a kernel crash or system instability. Such a crash could lead to denial of service (DoS) conditions where the affected system becomes unresponsive or requires a reboot.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart