Skip to main content

Linux Kernel EUVD-2026-25885

| CVE-2026-31688 HIGH
Use After Free (CWE-416)
2026-04-27 Linux
Denial Of Service Linux Use After Free Memory Corruption Red Hat Suse
7.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 06, 2026 - 21:00 vuln.today
CVSS changed
May 06, 2026 - 18:52 NVD
7.8 (HIGH)
EUVD ID Assigned
Apr 27, 2026 - 18:00 euvd
EUVD-2026-25885
CVE Published
Apr 27, 2026 - 17:32 nvd
N/A
CVE Published
Apr 27, 2026 - 17:32 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

driver core: enforce device_lock for driver_match_device()

Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held.

Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a scoped guard. Replace the unlocked calls in bind_store() and __driver_attach() with this new helper. Also add a lock assertion to driver_match_device() to enforce this guarantee.

This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field.

Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings.

AnalysisAI

Use-after-free in Linux kernel driver core allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system via race condition in device-driver binding operations. The vulnerability stems from inconsistent locking in driver_match_device() function calls, specifically affecting driver_override functionality where device_lock was not held during bind_store() and __driver_attach() operations. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory systems running Linux kernels prior to version 7.0 and identify those with multi-user or container workloads. Within 7 days: Prioritize patching to kernel 7.0 or later, or apply backport commit dc23806a7c47 to maintained kernel branches; test in non-production first. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th

Vendor StatusVendor

Share

EUVD-2026-25885 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy