CVE-2026-31759
Double Free in Linux Kernel USB ULPI Interface
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a double free bug in the Linux kernel's USB ULPI driver. Specifically, when the function device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() then frees the ulpi structure, but the error path in ulpi_register_interface() mistakenly calls kfree(ulpi) again, causing the ulpi structure to be freed twice.
The fix involves letting put_device() handle the cleanup through ulpi_dev_release() and avoiding the second free in ulpi_register_interface().
How can this vulnerability impact me? :
A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges. In this case, the double free in the USB ULPI driver could destabilize the Linux kernel or be leveraged in an attack scenario.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the issue in ulpi_register_interface() has been fixed.
The fix involves ensuring that the ulpi structure is freed only once by letting put_device() handle the cleanup through ulpi_dev_release(), avoiding a double free.
Therefore, applying the patch or upgrading to the fixed kernel version is the immediate step to prevent this double free vulnerability.