Skip to main content

Linux Kernel CVE-2026-31399

| EUVDEUVD-2026-18780 HIGH
Use After Free (CWE-416)
2026-04-03 Linux GHSA-j3fg-h3r6-7945
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
May 20, 2026 - 13:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 13:07 vuln.today
cvss_changed
CVSS changed
May 20, 2026 - 13:07 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
2c638259ad750833fd46a0cf57672a618542d84c,84af19855d1abdee3c9d57c0684e2868e391793c,9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18780
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nvdimm/bus: Fix potential use after free in asynchronous initialization

Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register().

Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free.

The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add().

AnalysisAI

Use-after-free in the Linux kernel's nvdimm/bus subsystem allows local privileged users to potentially trigger memory corruption when device_add() fails during nd_async_device_register() asynchronous initialization. The flaw stems from the parent device reference being dropped before the parent pointer is accessed on allocation failure paths. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

The vulnerability resides in the libnvdimm (Non-Volatile DIMM) subsystem of the Linux kernel, specifically in drivers/nvdimm/bus.c, which manages persistent memory devices exposed through NVDIMM hardware. The root cause is a CWE-416 Use-After-Free bug introduced by commit b6eae0f61db2 ('libnvdimm: Hold reference on parent while scheduling async init'), where the parent device reference is released when device_add() fails and the underlying device refcount reaches zero, but the freed parent pointer is still subsequently dereferenced to drop the reference. The affected CPE is cpe:2.3:a:linux:linux covering kernel versions from 4.20 onward where the buggy commit was introduced. The fix saves a local reference to the parent pointer before calling device_add() so it remains valid regardless of allocation outcome.

RemediationAI

Vendor-released patch is available - upgrade to a fixed Linux kernel: 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, or mainline 7.0-rc5 (or any later stable release containing the fix). Patch commits are available at https://git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d and the related stable-tree commits listed in the advisory. For distribution kernels, apply the security update from your vendor (Red Hat, SUSE, Ubuntu, Debian, etc.) once published. As a compensating control where patching is delayed, unloading or blacklisting the libnvdimm and nfit modules (modprobe -r nfit libnvdimm; add to /etc/modprobe.d/blacklist) eliminates the attack surface entirely on systems that do not use persistent memory - the trade-off is loss of NVDIMM functionality, which is acceptable on systems without NVDIMM hardware. Restricting local shell access and tightening user privilege boundaries also limits the exposure given the AV:L vector.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy