Skip to main content

Linux Kernel CVE-2026-31530

| EUVDEUVD-2026-24925 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6pf8-h7c8-42fv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 18:08 vuln.today
CVSS changed
Apr 28, 2026 - 18:07 NVD
7.8 (HIGH)
Patch released
Apr 28, 2026 - 17:53 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24925
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix use after free of parent_port in cxl_detach_ep()

cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port in the hierarchy it locks both the port and its parent, removes the endpoint, and if the port is now empty, marks it dead and unregisters the port by calling delete_switch_port(). There are two places during this work where the parent_port may be used after freeing:

First, a concurrent detach may have already processed a port by the time a second worker finds it via bus_find_device(). Without pinning parent_port, it may already be freed when we discover port->dead and attempt to unlock the parent_port. In a production kernel that's a silent memory corruption, with lock debug, it looks like this:

[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current()) []WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310 []Call Trace: []mutex_unlock+0xd/0x20 []cxl_detach_ep+0x180/0x400 [cxl_core] []devm_action_release+0x10/0x20 []devres_release_all+0xa8/0xe0 []device_unbind_cleanup+0xd/0xa0 []really_probe+0x1a6/0x3e0

Second, delete_switch_port() releases three devm actions registered against parent_port. The last of those is unregister_port() and it calls device_unregister() on the child port, which can cascade. If parent_port is now also empty the device core may unregister and free it too. So by the time delete_switch_port() returns, parent_port may be free, and the subsequent device_unlock(&parent_port->dev) operates on freed memory. The kernel log looks same as above, with a different offset in cxl_detach_ep().

Both of these issues stem from the absence of a lifetime guarantee between a child port and its parent port.

Establish a lifetime rule for ports: child ports hold a reference to their parent device until release. Take the reference when the port is allocated and drop it when released. This ensures the parent is valid for the full lifetime of the child and eliminates the use after free window in cxl_detach_ep().

This is easily reproduced with a reload of cxl_acpi in QEMU with CXL devices present.

AnalysisAI

Use-after-free in Linux kernel CXL (Compute Express Link) subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause kernel panics. The flaw occurs in cxl_detach_ep() during device removal when parent port references are freed prematurely, before child operations complete. Affects Linux kernel 6.3 through 7.0-rc5; patched in versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% indicates low exploitation probability. No active exploitation or public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's CXL (Compute Express Link) port management code, specifically in the cxl_detach_ep() function within the cxl_core module. CXL is a high-speed interconnect protocol for connecting CPUs to memory and accelerators. The issue stems from inadequate lifetime management between parent and child port objects in the device tree hierarchy. During bottom-up device removal, the code locks both a port and its parent, then calls delete_switch_port() which triggers devm (device-managed) resource cleanup. Two race windows exist: (1) concurrent detachment operations may free parent_port while another thread attempts to unlock it, and (2) device_unregister() cascades from delete_switch_port() can free parent_port before the function returns, causing the subsequent unlock to operate on freed memory. This is a classic CWE-416 use-after-free vulnerability in reference counting logic. The CPE data confirms impact to Linux kernel versions from 6.3 through 7.0-rc5. The fix establishes a lifetime rule where child ports hold device references to their parents, taken during allocation and released only when the child is destroyed.

RemediationAI

Update to patched Linux kernel versions: 6.12.80, 6.18.21, 6.19.11, or 7.0 and later. Patches are available from the mainline kernel repository with specific commits f7dc6f381a1e5f068333f1faa9265d6af1df4235, 2c32141462045cf93d54a5146a0ba572b83533dd, 19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4, and d216a4bd138eb57cc4ae7c43b2f709e3482af7e2 as referenced at https://git.kernel.org/stable/. Distribution-specific updates should be obtained through standard package management channels (apt, yum, dnf) as vendors incorporate the upstream fixes. If immediate patching is not feasible, risk can be reduced by avoiding CXL driver reloads and minimizing hot-plug operations on CXL devices, though this is operationally disruptive and does not eliminate the race condition entirely. As a temporary mitigation with significant operational impact, disabling the cxl_core kernel module (if CXL functionality is not required) prevents triggering the vulnerable code path, but this removes all CXL device support. Enterprises should prioritize patching over workarounds given patch availability across all affected stable branches.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31530 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy