Skip to main content

Linux Kernel EUVDEUVD-2026-26572

| CVE-2026-31759 HIGH
Double Free (CWE-415)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 20:30 vuln.today
CVSS changed
May 08, 2026 - 18:22 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26572
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: ulpi: fix double free in ulpi_register_interface() error path

When device_register() fails, ulpi_register() calls put_device() on ulpi->dev.

The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free.

Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface().

AnalysisAI

Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.

Technical ContextAI

The vulnerability affects the USB ULPI (UTMI+ Low Pin Interface) subsystem introduced in Linux 4.2, specifically the device registration error path in drivers/usb/common/ulpi.c. ULPI is a physical interface specification for connecting USB transceivers to USB controllers. The flaw is a classic use-after-free/double-free (CWE-415) in the ulpi_register_interface() function. When device_register() fails, the code correctly calls put_device() which decrements the device reference count and eventually triggers ulpi_dev_release() callback. This callback performs proper cleanup including of_node_put() to drop device tree references and kfree(ulpi) to deallocate the structure. However, the error path then executes a second kfree(ulpi), attempting to free already-released memory. This corrupts kernel heap metadata and can lead to arbitrary memory operations when the freed region is reallocated. The vulnerability persists across multiple stable kernel branches from 4.2 through 6.x versions until patched in early 2026.

RemediationAI

Update to patched Linux kernel versions: 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0+ depending on your stable branch. Upstream fix commits available at https://git.kernel.org/stable/c/272a9b26c336a295e4e209157fed809706c1b1f7 (mainline) with backports to stable branches. Distribution-specific updates: apply kernel security updates from your vendor (Red Hat RHSA, Ubuntu USN, Debian DSA, SUSE updates) that incorporate these commits. Workaround for systems unable to patch immediately: restrict local user access to USB device management capabilities via udev rules and disable USB hotplug for non-privileged users (note: this limits USB functionality and may break desktop user workflows). Monitor kernel logs for device_register() failures in ULPI subsystem as potential exploitation indicators. Restart required after kernel update to activate fix.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy