Skip to main content

Linux Kernel CVE-2026-31758

| EUVDEUVD-2026-26571 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:29 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26571
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: usbtmc: Flush anchored URBs in usbtmc_release

When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down() to allow anchored URBs to be completed.

AnalysisAI

Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.

Technical ContextAI

The USB Test and Measurement Class (USBTMC) driver in the Linux kernel manages USB-based test and measurement equipment communication. This vulnerability affects the URB (USB Request Block) lifecycle management in the driver's release function. When a USBTMC device file descriptor is closed via usbtmc_release(), the function fails to properly flush or kill pending anchored URBs before the associated data structures are freed. URBs are anchored to track outstanding asynchronous USB operations. In the Linux USB stack, when URBs complete, the Host Controller Driver (HCD) calls giveback routines that may reference the now-freed memory, creating a classic use-after-free condition. The affected code path exists since commit 4f3c8d6eddc272b386464524235440a418ed2029 and impacts all kernel versions from 4.19 onward until the patches. The fix invokes usbtmc_draw_down() to ensure all anchored URBs complete before resource deallocation.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253 or later for the 5.10 LTS branch, 5.15.203 or later for 5.15 LTS, 6.1.168 or later for 6.1 LTS, 6.6.134 or later for 6.6 stable, 6.12.81 or later for 6.12, 6.18.22 or later for 6.18, 6.19.12 or later for 6.19, or 7.0 for mainline. Specific fix commits are documented at https://git.kernel.org/stable/c/959ef329071136e4335b54822fe2f607659b4569 (mainline) and branch-specific commits at the kernel.org references provided. If immediate patching is not feasible, unload the usbtmc kernel module (rmmod usbtmc) to completely eliminate the attack surface, though this prevents use of USB test and measurement equipment; this mitigation has no performance impact but breaks functionality for USBTMC-dependent applications. Alternatively, restrict access to /dev/usbtmc* device nodes via udev rules to trusted users only, limiting the local authenticated attack prerequisite, though this reduces defense depth and does not eliminate the vulnerability. Verify no USBTMC hardware is attached in environments where test equipment is not required, as the driver poses no risk without physical USB TMC devices.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy