Skip to main content

Linux Kernel CVE-2026-31688

| EUVDEUVD-2026-25885 HIGH
Use After Free (CWE-416)
2026-04-27 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 06, 2026 - 21:00 vuln.today
CVSS changed
May 06, 2026 - 18:52 NVD
7.8 (HIGH)
EUVD ID Assigned
Apr 27, 2026 - 18:00 euvd
EUVD-2026-25885
CVE Published
Apr 27, 2026 - 17:32 nvd
N/A
CVE Published
Apr 27, 2026 - 17:32 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

driver core: enforce device_lock for driver_match_device()

Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held.

Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a scoped guard. Replace the unlocked calls in bind_store() and __driver_attach() with this new helper. Also add a lock assertion to driver_match_device() to enforce this guarantee.

This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field.

Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings.

AnalysisAI

Use-after-free in Linux kernel driver core allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system via race condition in device-driver binding operations. The vulnerability stems from inconsistent locking in driver_match_device() function calls, specifically affecting driver_override functionality where device_lock was not held during bind_store() and __driver_attach() operations. EPSS probability is very low (0.02%, 5th percentile), indicating minimal real-world exploitation observed. No active exploitation confirmed - no CISA KEV listing identified. Patch available in kernel 7.0+ and backport commit dc23806a7c47.

Technical ContextAI

The Linux kernel driver core manages device-driver binding through the driver_match_device() function, which invokes bus-specific match() callbacks to pair devices with appropriate drivers. The driver_override mechanism allows userspace to manually specify which driver should bind to a device. This mechanism relies on device_lock() for synchronization to prevent concurrent access to device state. The vulnerability exists because driver_match_device() was called from three code paths: __device_attach_driver() correctly held device_lock, but bind_store() (sysfs interface for manual binding) and __driver_attach() (automatic driver probing) did not. This inconsistent locking created a race window where the driver_override field could be freed while still in use, resulting in a use-after-free condition (CWE-416). The affected CPE indicates broad impact across Linux kernel versions from 2.6.30 through pre-7.0 releases. The fix introduces driver_match_device_locked() with scoped guard locking and adds lock assertions to enforce the contract.

RemediationAI

Upgrade to Linux kernel version 7.0 or later, which includes the fix commit dc23806a7c47ec5f1293aba407fb69519f976ee0. For enterprise distributions on long-term support kernels, apply vendor-provided backports from your distribution's security advisory channel (RHEL, Ubuntu, SUSE security repos). The upstream fix is available at https://git.kernel.org/stable/c/dc23806a7c47ec5f1293aba407fb69519f976ee0 for manual backporting if necessary. If immediate patching is not feasible, implement compensating controls: restrict write access to /sys/bus/*/drivers/*/bind and /sys/bus/*/devices/*/driver_override sysfs attributes to root-only by setting restrictive permissions or using SELinux/AppArmor policies, though this may break legitimate userspace driver management tools like udev or device management daemons. In containerized environments, use seccomp profiles or LSM policies to block write access to these sysfs paths from untrusted containers. Note that restricting sysfs access may prevent dynamic driver binding functionality required for hotplug devices or manual driver overrides. Test thoroughly in staging before production deployment as driver binding is critical for hardware detection.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy