Skip to main content

Linux Kernel CVE-2026-31527

| EUVDEUVD-2026-24919 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 18:08 vuln.today
CVSS changed
Apr 28, 2026 - 18:07 NVD
7.8 (HIGH)
Patch released
Apr 28, 2026 - 18:02 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24919
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

driver core: platform: use generic driver_override infrastructure

When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF.

Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally.

Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

AnalysisAI

Use-after-free in Linux Kernel platform driver core allows local authenticated attackers to achieve high-severity impacts including code execution, privilege escalation, or denial of service. The vulnerability stems from unsafe access to the driver_override field during device probing when the bus match() callback executes without device lock protection. Patches are available across multiple kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0) per vendor commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no CISA KEV listing exists, suggesting this remains a theoretical risk rather than actively exploited threat despite the high CVSS 7.8 score.

Technical ContextAI

This vulnerability affects the Linux kernel's platform driver core subsystem, specifically the driver probing mechanism in __driver_attach(). The root cause (CWE-416: Use After Free) occurs because the bus match() callback accesses the driver_override field without holding the device lock, creating a race condition where memory can be freed while still being referenced. The kernel design intentionally calls match() without the device lock for performance reasons, but this creates a window for UAF exploitation. The fix implements generic driver_override infrastructure from the driver core that provides proper internal locking mechanisms. CPE data indicates the vulnerability exists in mainline Linux kernel versions from 3.17 through 7.0-rc4, affecting a broad range of deployed systems. The commits referenced (3d713e0e382e through edee7ee5a14c, 9a6086d2a828, 2b38efc05bf7, 7c02a9bd7d14) show backports across stable kernel branches, indicating vendor acknowledgment of severity across supported versions.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.80 or later for the 6.12.x series, 6.18.21 or later for 6.18.x, 6.19.11 or later for 6.19.x, or 7.0 or later for mainline. Distribution-specific updates should be applied via normal package management (apt, yum, dnf, zypper) as vendors incorporate these upstream commits into their kernel packages. Verify installed kernel version with 'uname -r' post-update and reboot to activate the new kernel. Patch commits are available at https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d (6.19.11), https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f (6.18.21), https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d (6.12.80), and https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1 (7.0). If immediate patching is infeasible, implement defense-in-depth controls: restrict local user access via least-privilege principles, disable unnecessary platform drivers via kernel module blacklisting if workload permits (trade-off: may break hardware functionality), enable kernel hardening features like KASLR and SMEP/SMAP if not already active (minimal performance overhead), and monitor for anomalous driver loading activity via auditd rules on /sys/bus/platform/drivers. These mitigations reduce but do not eliminate exploitation risk; kernel patching remains the definitive remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy