CVE-2026-31578
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 3%
Techniques & Countermeasures
- CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Affected Systems
- linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 582fbecb3756330006fe1950762412a68c2cacd2 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 09e9206008b887aa553733bd915d73131071a086 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 2eeae47a438694408189138048a786be99954032 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 7e5aedf6059cba2a669d86caeaf5a51f33ec85a1 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 0d36653a3a821e5a974798adb347b3ea09332914 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 25d500cf391e384356a612b85cf60b353ad3cd0c | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 07ceb444c8f627cf863864d4274b5a77769725ed | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < cb8092038e95dc1113a68e63762de40fff61ba71 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 582fbecb3756330006fe1950762412a68c2cacd2 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 09e9206008b887aa553733bd915d73131071a086 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 2eeae47a438694408189138048a786be99954032 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 7e5aedf6059cba2a669d86caeaf5a51f33ec85a1 | ≥ cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c, < 8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c | 3.14
- linux•linux_kernel
< 6.6.136 | ≥ 6.7, < 6.12.83 | ≥ 6.13, < 6.18.24 | ≥ 6.19, < 6.19.14 | ≥ 7.0, < 7.0.1
References (9)
- https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2
- https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086
- https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032
- https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1
- https://git.kernel.org/stable/c/8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c
- https://git.kernel.org/stable/c/cb8092038e95dc1113a68e63762de40fff61ba71
- https://git.kernel.org/stable/c/0d36653a3a821e5a974798adb347b3ea09332914
- https://git.kernel.org/stable/c/25d500cf391e384356a612b85cf60b353ad3cd0c
- https://git.kernel.org/stable/c/07ceb444c8f627cf863864d4274b5a77769725ed