Skip to main content

Linux Kernel CVE-2026-31730

| EUVDEUVD-2026-26543 HIGH
Double Free (CWE-415)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 18:15 vuln.today
CVSS changed
May 07, 2026 - 16:07 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26543
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: possible double-free of cctx->remote_heap

fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap again if it is non-NULL, which can lead to a double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg device is subsequently removed/unbound. Clear cctx->remote_heap after freeing it in the error path to prevent the later cleanup from freeing it again.

This issue was found by an in-house analysis workflow that extracts AST-based information and runs static checks, with LLM assistance for triage, and was confirmed by manual code review. No hardware testing was performed.

AnalysisAI

Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Technical ContextAI

The fastrpc subsystem (drivers/misc/fastrpc.c) provides a framework for remote procedure calls to Digital Signal Processors on Qualcomm platforms. The vulnerability is a classic use-after-free condition (CWE-415) where the error handling path in fastrpc_init_create_static_process() calls dma_free_coherent() or similar memory deallocation on cctx->remote_heap without setting the pointer to NULL. When an INIT_CREATE_STATIC ioctl operation fails and subsequently the rpmsg device is removed or unbound, fastrpc_rpmsg_remove() checks if cctx->remote_heap is non-NULL and attempts to free it again. This double-free can corrupt kernel heap metadata, potentially leading to arbitrary code execution if an attacker can control heap layout. The fix involves adding a simple pointer nullification after the initial free operation in the error path, following standard defensive programming practices for resource cleanup in C.

RemediationAI

Upgrade to patched kernel versions: 6.6.134+ for the 6.6 LTS series, 6.12.81+ for 6.12 stable, 6.18.22+ for 6.18 stable, 6.19.12+ for 6.19 stable, or mainline 7.0+. Patches add pointer nullification (cctx->remote_heap = NULL) immediately after dma_free_coherent() in fastrpc_init_create_static_process() error path. Upstream commits available at https://git.kernel.org/stable/c/4b8e527aca357a6488680713bd88007cf8f547fe for verification. If immediate patching is not feasible, restrict access to /dev/fastrpc-* device nodes to trusted processes only via udev rules or SELinux/AppArmor policies, though this provides limited protection as exploitation requires both device access and ability to trigger rpmsg device removal. Note that blocking fastrpc ioctl operations entirely will break legitimate DSP functionality on affected Qualcomm hardware. No effective workaround exists that maintains full system functionality; patching is the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy