Skip to main content

Linux Kernel CVE-2026-31426

| EUVDEUVD-2026-21953 HIGH
Use After Free (CWE-416)
2026-04-13 Linux
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
6.6 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:24 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.0 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
022d1727f33ff90b3e1775125264e3023901952e,808c0f156f48d5b8ca34088cbbfba8444e606cbc,9c886e63b69658959633937e3acb7ca8addf7499
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21953
Analysis Generated
Apr 13, 2026 - 13:45 vuln.today
CVE Published
Apr 13, 2026 - 13:40 nvd
HIGH 7.0

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()

When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpi_ec pointer as handler context. However, acpi_ec_setup() propagates the error without any cleanup.

The caller acpi_ec_add() then frees the struct acpi_ec for non-boot instances, leaving a dangling handler context in ACPICA.

Any subsequent AML evaluation that accesses an EC OpRegion field dispatches into acpi_ec_space_handler() with the freed pointer, causing a use-after-free:

BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289) Write of size 8 at addr ffff88800721de38 by task init/1 Call Trace: <TASK> mutex_lock (kernel/locking/mutex.c:289) acpi_ec_space_handler (drivers/acpi/ec.c:1362) acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293) acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246) acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509) acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700) acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327) acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392) </TASK>

Allocated by task 1: acpi_ec_alloc (drivers/acpi/ec.c:1424) acpi_ec_add (drivers/acpi/ec.c:1692)

Freed by task 1: kfree (mm/slub.c:6876) acpi_ec_add (drivers/acpi/ec.c:1751)

The bug triggers on reduced-hardware EC platforms (ec->gpe < 0) when the GPIO IRQ provider defers probing. Once the stale handler exists, any unprivileged sysfs read that causes AML to touch an EC OpRegion (battery, thermal, backlight) exercises the dangling pointer.

Fix this by calling ec_remove_handlers() in the error path of acpi_ec_setup() before clearing first_ec. ec_remove_handlers() checks each EC_FLAGS_* bit before acting, so it is safe to call regardless of how far ec_install_handlers() progressed:

-ENODEV (handler not installed): only calls acpi_ec_stop() -EPROBE_DEFER (handler installed): removes handler, stops EC

AnalysisAI

Use-after-free in Linux kernel ACPI EC driver allows local authenticated attackers with low privileges to achieve high integrity, confidentiality, and availability impact on reduced-hardware platforms when GPIO IRQ provider defers probing. Vendor patches are available across stable branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). The vulnerability triggers when EC handler cleanup fails during probe deferral, leaving a dangling pointer that is later dereferenced during AML evaluation of EC OpRegion accesses (battery, thermal, backlight operations).

Technical ContextAI

The vulnerability exists in the Linux kernel's ACPI Embedded Controller (EC) subsystem, specifically in the acpi_ec_setup() function within drivers/acpi/ec.c. On reduced-hardware platforms (where ec->gpe < 0, meaning the EC uses GPIO IRQs instead of GPE interrupts), ec_install_handlers() can return -EPROBE_DEFER when the GPIO IRQ provider isn't ready. However, at this point the function has already registered an ACPI address space handler with acpi_install_address_space_handler(), passing a pointer to struct acpi_ec as the handler context. The calling function acpi_ec_add() propagates the error and frees the struct acpi_ec for non-boot instances without removing the installed handler. This leaves ACPICA's handler registry pointing to freed memory. When subsequent AML code (ACPI Machine Language) accesses an EC OpRegion field-common during battery status reads, thermal management, or backlight control-ACPICA dispatches to acpi_ec_space_handler() with the freed pointer, triggering a use-after-free condition detected by KASAN. The root cause is incomplete error-path cleanup in a probe-deferral scenario, a common pattern in modern device driver development where dependencies may not initialize in a predictable order.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or mainline 7.0+. Patches are available from kernel.org stable branches with commit references provided in CVE description (https://git.kernel.org/stable/c/022d1727f33ff90b3e1775125264e3023901952e and related commits for stable branches). For systems unable to immediately upgrade, no effective workaround exists since the vulnerability is in core ACPI EC initialization logic. Compensating controls are limited: restrict local user access to minimize PR:L attack vector, and monitor for kernel KASAN warnings in dmesg indicating use-after-free conditions in acpi_ec_space_handler. However, these are detective rather than preventive controls. On reduced-hardware platforms using GPIO-based EC (ARM/RISC-V embedded systems, industrial controllers), prioritize patching during next maintenance window. The fix adds ec_remove_handlers() call in acpi_ec_setup() error path before clearing first_ec, ensuring handler deregistration matches installation state. Standard kernel update procedures apply-verify compatibility with out-of-tree modules and test in non-production environment first given the ACPI subsystem criticality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy