Skip to main content

Linux Kernel GPIB CVE-2026-31769

| EUVDEUVD-2026-26582 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:30 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26582
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

gpib: fix use-after-free in IO ioctl handlers

The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor pointer after board->big_gpib_mutex has been released. A concurrent IBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() during this window, causing a use-after-free.

The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly release big_gpib_mutex before calling their handler. wait_ioctl() is called with big_gpib_mutex held, but ibwait() releases it internally when wait_mask is non-zero. In all four cases, the descriptor pointer obtained from handle_to_descriptor() becomes unprotected.

Fix this by introducing a kernel-only descriptor_busy reference count in struct gpib_descriptor. Each handler atomically increments descriptor_busy under file_priv->descriptors_mutex before releasing the lock, and decrements it when done. close_dev_ioctl() checks descriptor_busy under the same lock and rejects the close with -EBUSY if the count is non-zero.

A reference count rather than a simple flag is necessary because multiple handlers can operate on the same descriptor concurrently (e.g. IBRD and IBWAIT on the same handle from different threads).

A separate counter is needed because io_in_progress can be cleared from unprivileged userspace via the IBWAIT ioctl (through general_ibstatus() with set_mask containing CMPL), which would allow an attacker to bypass a check based solely on io_in_progress. The new descriptor_busy counter is only modified by the kernel IO paths.

The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex) and the handlers only hold descriptors_mutex briefly during the lookup, so there is no deadlock risk and no impact on IO throughput.

AnalysisAI

Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.

Technical ContextAI

The GPIB (General Purpose Interface Bus) subsystem in the Linux kernel implements IEEE 488 bus controller functionality through ioctl handlers. The vulnerability stems from improper synchronization between I/O operations and resource cleanup. Four ioctl handlers (read_ioctl, write_ioctl, command_ioctl, wait_ioctl) obtain a gpib_descriptor pointer via handle_to_descriptor() under board->big_gpib_mutex protection, but then release the mutex before completing their operations. During this window, a concurrent IBCLOSEDEV ioctl can invoke close_dev_ioctl(), which frees the descriptor structure while the I/O handler still holds a reference to it. The existing io_in_progress flag was insufficient because it could be cleared from unprivileged userspace via IBWAIT ioctl calling general_ibstatus() with CMPL in set_mask. This is a classic time-of-check-time-of-use race condition where the validity of a resource is checked under lock but the resource is used after the lock is released. The fix introduces a kernel-controlled descriptor_busy atomic reference counter protected by file_priv->descriptors_mutex, ensuring descriptors cannot be freed while kernel I/O paths actively use them.

RemediationAI

Apply vendor-released kernel patches immediately for any systems with GPIB hardware: upgrade to Linux kernel 6.18.22 or later for 6.18.x series (commit 28c75dd143ead62e0dfac564c79d251e21d5d74b), 6.19.12 or later for 6.19.x series (commit cae26eff1b56d78bed7873cf3e60a2b1bdd4da6c), or 7.0 or later for mainline (commit d1857f8296dceb75d00ab857fc3c61bc00c7f5c6). Patches available at https://git.kernel.org/stable/c/cae26eff1b56d78bed7873cf3e60a2b1bdd4da6c and related commit URLs. For systems where immediate patching is not feasible, implement compensating controls: unload the GPIB kernel module (rmmod gpib_common and related modules) if GPIB hardware is not actively in use, which eliminates the attack surface entirely. Restrict access to /dev/gpib* device nodes using filesystem permissions (chmod 600, chown root:root) to prevent unprivileged local users from opening GPIB file descriptors required for exploitation. Note that unloading the module will break any applications depending on GPIB functionality. If GPIB access is required, restrict user accounts with physical or SSH access to the system and monitor for unusual ioctl activity on GPIB devices via auditd rules. For most deployments without GPIB hardware, verify the gpib module is not loaded (lsmod | grep gpib) and consider blacklisting it in /etc/modprobe.d/ to prevent accidental loading.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy