Skip to main content

Linux Kernel CVE-2026-31621

| EUVDEUVD-2026-25514 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-04-24 Linux GHSA-jq95-p6v7-8mxr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:07 vuln.today
CVSS changed
Apr 28, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:05 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25514
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bnge: return after auxiliary_device_uninit() in error path

When auxiliary_device_add() fails, the error block calls auxiliary_device_uninit() but does not return. The uninit drops the last reference and synchronously runs bnge_aux_dev_release(), which sets bd->auxr_dev = NULL and frees the underlying object. The subsequent bd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a good thing to have happen when trying to clean up from an error.

Add the missing return, as the auxiliary bus documentation states is a requirement (seems that LLM tools read documentation better than humans do...)

AnalysisAI

Null pointer dereference in Linux kernel bnge driver occurs when auxiliary_device_add() fails and the error handling path omits a return statement after auxiliary_device_uninit(), causing subsequent code to dereference a freed and nullified auxr_dev pointer. Local users with limited privileges can trigger kernel panic (denial of service) by inducing auxiliary device initialization failure. EPSS score of 0.02% reflects low real-world exploitation probability despite availability of vendor patches in stable branches 6.19.14 and 7.0.1.

Technical ContextAI

The bnge (Broadcom NetXtreme) driver uses the Linux auxiliary bus subsystem (auxiliary_device API) to manage auxiliary devices. The vulnerability stems from incorrect error handling in device initialization: when auxiliary_device_add() fails, the code calls auxiliary_device_uninit(), which decrements the reference count and synchronously invokes the release callback bnge_aux_dev_release(). This callback sets bd->auxr_dev to NULL and deallocates the underlying object. The missing return statement causes execution to continue past the error block, where code attempts bd->auxr_dev->net = bd->netdev, resulting in a null pointer dereference (CWE-908: Use of Uninitialized Variable / incorrect cleanup). The issue affects kernel versions prior to commits 38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a and 87bc3557c708110d83086bf091328271298a44e3.

RemediationAI

Update the Linux kernel to version 6.19.14 or 7.0.1 or later, which include commits 38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a and 87bc3557c708110d83086bf091328271298a44e3 that add the required return statement after auxiliary_device_uninit(). For distributions not yet carrying these versions, manually apply the upstream fix (available at https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a). No workarounds exist short of patching; the fix is a single-line addition and poses no functional risk. Distributions tracking stable kernel branches should receive fixes within standard update cycles.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy