Skip to main content

Linux Kernel CVE-2026-31689

| EUVDEUVD-2026-25886 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-27 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:01 vuln.today
CVSS changed
May 06, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
Apr 27, 2026 - 19:01 EUVD
Patch released
Apr 27, 2026 - 18:32 nvd
Patch available
EUVD ID Assigned
Apr 27, 2026 - 18:00 euvd
EUVD-2026-25886
CVE Published
Apr 27, 2026 - 17:34 nvd
N/A
CVE Published
Apr 27, 2026 - 17:34 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

EDAC/mc: Fix error path ordering in edac_mc_alloc()

When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function.

However, the init ordering is wrong such that device_initialize() happens *after* the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called:

MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full) RIP: 0010:kobject_put Call Trace: <TASK> edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ...

Reorder the calling sequence so that the device is initialized and thus the release function pointer is properly set before it can be used.

This was found by Claude while reviewing another EDAC patch.

AnalysisAI

Denial of service in the Linux kernel EDAC (Error Detection and Correction) subsystem due to improper initialization ordering in edac_mc_alloc(). When memory allocation fails during EDAC memory controller initialization, the error path calls put_device() before device_initialize() is executed, triggering a null pointer dereference in kobject_put() that causes a kernel panic or system crash. This affects Linux systems with EDAC support enabled across multiple kernel versions from 5.19 through 7.0.

Technical ContextAI

The EDAC subsystem in the Linux kernel manages error detection and correction for memory controllers. The vulnerability exists in the edac_mc_alloc() function, which allocates and initializes an EDAC memory controller instance. The function attempts to allocate memory for mci->pvt_info (private info structure) and if this allocation fails, it invokes put_device() in the error handler. However, the code does not call device_initialize() before this allocation, meaning the device object and its release function pointer are not yet initialized when put_device() is invoked. This leads to a call to kobject_put() on an uninitialized kernel object, which fails with a NULL pointer dereference (CWE-476: Null Pointer Dereference). The fix reorders the initialization sequence so that device_initialize() is called before any allocation that could fail.

RemediationAI

Update the Linux kernel to a patched version: 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, or 7.0-rc1 and later. Patches are available from the Linux kernel stable repository at the commit hashes listed in the references (aae95970fad2127a1bd49d8713c7cd0677dcd2d6, d3de72e2a2b9ee3a57734c1c068823e41a707715, and others). For systems unable to immediately upgrade, mitigate by disabling EDAC support at boot time if not required (via kernel parameter edac=off or by not loading edac_core module), though this removes hardware error detection capabilities. Disable user-level access to EDAC sysfs interfaces if possible to prevent local users from triggering hardware initialization sequences that could cause the allocation failure.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy