CVE-2026-31759
Analyzed Analyzed - Analysis Complete
Double Free in Linux Kernel USB ULPI Interface

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix double free in ulpi_register_interface() error path When device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free. Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31759
EUVD
EUVD-2026-26572
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 4.2 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a double free bug in the Linux kernel's USB ULPI driver. Specifically, when the function device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() then frees the ulpi structure, but the error path in ulpi_register_interface() mistakenly calls kfree(ulpi) again, causing the ulpi structure to be freed twice.

The fix involves letting put_device() handle the cleanup through ulpi_dev_release() and avoiding the second free in ulpi_register_interface().

Impact Analysis

A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges. In this case, the double free in the USB ULPI driver could destabilize the Linux kernel or be leveraged in an attack scenario.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue in ulpi_register_interface() has been fixed.

The fix involves ensuring that the ulpi structure is freed only once by letting put_device() handle the cleanup through ulpi_dev_release(), avoiding a double free.

Therefore, applying the patch or upgrading to the fixed kernel version is the immediate step to prevent this double free vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart