Skip to main content

Linux Kernel EUVDEUVD-2026-26558

| CVE-2026-31745 HIGH
Double Free (CWE-415)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:37 vuln.today
CVSS changed
May 07, 2026 - 19:37 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26558
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

reset: gpio: fix double free in reset_add_gpio_aux_device() error path

When __auxiliary_device_add() fails, reset_add_gpio_aux_device() calls auxiliary_device_uninit(adev).

The device release callback reset_gpio_aux_device_release() frees adev, but the current error path then calls kfree(adev) again, causing a double free.

Keep kfree(adev) for the auxiliary_device_init() failure path, but avoid freeing adev after auxiliary_device_uninit().

AnalysisAI

Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.

Technical ContextAI

This is a use-after-free/double-free bug (CWE-415) in the Linux kernel's GPIO reset controller auxiliary device initialization code. When __auxiliary_device_add() fails during device registration, the error path calls auxiliary_device_uninit(), which invokes the reset_gpio_aux_device_release() callback that frees the adev structure. The code then incorrectly calls kfree(adev) again on the already-freed memory. Double-free vulnerabilities can cause heap corruption, potentially leading to arbitrary code execution if an attacker can control heap layout. The affected code path is in drivers/reset/reset-gpio.c, introduced in commit 5fc4e4cf7a22. CPE strings indicate this affects general Linux kernel builds containing the reset-gpio driver. The CVSS vector AV:L indicates local access is required, with low attack complexity (AC:L) and low privileges (PR:L), making exploitation straightforward for local users who can trigger device initialization.

RemediationAI

Apply vendor-released patches: upgrade to Linux kernel 6.19.12 or later for the 6.19 stable branch, or kernel 7.0 final release for mainline users. Patch commits available at https://git.kernel.org/stable/c/1de465753220deb41569cf2add87bbb0673731db (mainline fix) and https://git.kernel.org/stable/c/fbffb8c7c7bb4d38e9f65e0bee446685011de5d8 (stable backport). The fix modifies reset_add_gpio_aux_device() to avoid calling kfree() after auxiliary_device_uninit() by restructuring the error path. If immediate patching is not feasible, consider disabling CONFIG_RESET_GPIO at kernel build time to remove the vulnerable code entirely, but note this will break systems dependent on GPIO-based reset functionality such as certain embedded boards and device tree configurations requiring gpio-reset bindings. For production systems where the reset-gpio driver is not critical, unloading the module (if built as a module) provides temporary mitigation, though this may cause devices depending on GPIO resets to fail initialization. No runtime configuration workaround exists for systems requiring this driver; patching is the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy