Skip to main content

Linux Kernel CVE-2026-31750

| EUVDEUVD-2026-26563 MEDIUM
Memory Leak (CWE-401)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 21:46 vuln.today
CVSS changed
May 07, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26563
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

comedi: runflags cannot determine whether to reclaim chanlist

syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi: Add reference counting for Comedi command handling") did not consider the exceptional exit case in do_cmd_ioctl() where runflags is not set. This caused chanlist not to be properly freed by do_become_nonbusy(), as it only frees chanlist when runflags is correctly set.

Added a check in do_become_nonbusy() for the case where runflags is not set, to properly free the chanlist memory.

[1] BUG: memory leak backtrace (crc 844a0efa): __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline] do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]

AnalysisAI

Memory leak in Linux kernel comedi subsystem allows local privileged users to exhaust kernel memory and cause denial of service. The vulnerability exists in do_cmd_ioctl() where chanlist memory is not properly freed when runflags is not set following an exceptional exit, due to incomplete reference counting logic introduced in commit 4e1da516debb. CVSS 5.5 (local, low complexity, requires user privilege) with EPSS 0.02% indicates this is a lower-priority local DoS affecting systems with comedi driver loaded and untrusted local users.

Technical ContextAI

The comedi subsystem is a Linux kernel driver framework for data acquisition and control hardware. The vulnerability involves the do_cmd_ioctl() function in drivers/comedi/comedi_fops.c, which handles ioctl commands for comedi devices. The __comedi_get_user_chanlist() function allocates memory for a channel list (chanlist), but when an exceptional exit occurs in do_cmd_ioctl() before the runflags field is properly set, the do_become_nonbusy() cleanup function cannot determine whether chanlist was allocated and thus fails to free it. This is a memory management error (CWE-401: Missing Release of Memory after Effective Lifetime) stemming from incomplete reference counting added in commit 4e1da516debb. The fix adds explicit checks in do_become_nonbusy() to detect and free chanlist even when runflags indicates an incomplete command setup.

RemediationAI

Update Linux kernel to a patched version: 6.19.12 or later for 6.19 series, or 7.0+ for the 7.0 series. Apply upstream commits 830c848aba9f047eb6b34288975ebeb8e8621451 or 29f644f14b89e6c4965e3c89251929e451190a66 directly if intermediate kernel versions are in use (via https://git.kernel.org/stable/c/830c848aba9f047eb6b34288975ebeb8e8621451). For systems unable to patch immediately, the vulnerability only manifests when comedi drivers are loaded and local users trigger specific error conditions in ioctl command setup; disabling unused comedi hardware drivers (modprobe -r) or restricting ioctl access to trusted users only via file permissions on /dev/comedi* devices provides temporary mitigation, though this may disable legitimate comedi functionality if the driver is needed. The fix itself is surgical (adds chanlist cleanup checks) with no functional side effects.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy