CVE-2026-31759
Analyzed Analyzed - Analysis Complete

Double Free in Linux Kernel USB ULPI Interface

Vulnerability report for CVE-2026-31759, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix double free in ulpi_register_interface() error path When device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free. Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-07-06
AI Q&A
2026-05-01
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 4.2 (inc) to 5.10.253 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a double free bug in the Linux kernel's USB ULPI driver. Specifically, when the function device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() then frees the ulpi structure, but the error path in ulpi_register_interface() mistakenly calls kfree(ulpi) again, causing the ulpi structure to be freed twice.

The fix involves letting put_device() handle the cleanup through ulpi_dev_release() and avoiding the second free in ulpi_register_interface().

Impact Analysis

A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges. In this case, the double free in the USB ULPI driver could destabilize the Linux kernel or be leveraged in an attack scenario.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue in ulpi_register_interface() has been fixed.

The fix involves ensuring that the ulpi structure is freed only once by letting put_device() handle the cleanup through ulpi_dev_release(), avoiding a double free.

Therefore, applying the patch or upgrading to the fixed kernel version is the immediate step to prevent this double free vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart