UBUNTU-CVE-2026-31578

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2026-31578
Published: 24 Apr 2026, 15:16
Last modified:04 Jun 2026, 17:59

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

24 Apr 2026, 15:16
Published
Vulnerability first disclosed
04 Jun 2026, 17:59
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

  • ubuntulinux

    all | all | all | all | all

  • ubuntulinux-allwinner-5.19

    all

  • ubuntulinux-aws

    all | all | all | all | all

  • ubuntulinux-aws-5.0

    all

  • ubuntulinux-aws-5.11

    all

  • ubuntulinux-aws-5.13

    all

  • ubuntulinux-aws-5.15

    all

  • ubuntulinux-aws-5.19

    all

  • ubuntulinux-aws-5.3

    all

  • ubuntulinux-aws-5.4

    all

  • ubuntulinux-aws-5.8

    all

  • ubuntulinux-aws-6.14

    all

  • ubuntulinux-aws-6.17

    all

  • ubuntulinux-aws-6.2

    all

  • ubuntulinux-aws-6.5

    all

  • ubuntulinux-aws-6.8

    all

  • ubuntulinux-aws-fips

    all

  • ubuntulinux-aws-hwe

    all

  • ubuntulinux-azure

    all | all | all | all | all | all

  • ubuntulinux-azure-4.15

    all

  • ubuntulinux-azure-5.11

    all

  • ubuntulinux-azure-5.13

    all

  • ubuntulinux-azure-5.15

    all

  • ubuntulinux-azure-5.19

    all

  • ubuntulinux-azure-5.3

    all

  • ubuntulinux-azure-5.4

    all

  • ubuntulinux-azure-5.8

    all

  • ubuntulinux-azure-6.11

    all

  • ubuntulinux-azure-6.14

    all

  • ubuntulinux-azure-6.17

    all

  • ubuntulinux-azure-6.2

    all

  • ubuntulinux-azure-6.5

    all

  • ubuntulinux-azure-6.8

    all

  • ubuntulinux-azure-edge

    all

  • ubuntulinux-azure-fde

    all | all | all | all | all

  • ubuntulinux-azure-fde-5.15

    all

  • ubuntulinux-azure-fde-5.19

    all

  • ubuntulinux-azure-fde-6.14

    all

  • ubuntulinux-azure-fde-6.17

    all

  • ubuntulinux-azure-fde-6.2

    all

  • ubuntulinux-azure-fde-6.8

    all

  • ubuntulinux-azure-fips

    all

  • ubuntulinux-azure-nvidia

    all

  • ubuntulinux-azure-nvidia-6.14

    all

  • ubuntulinux-bluefield

    all | all

  • ubuntulinux-fips

    all

  • ubuntulinux-gcp

    all | all | all | all | all | all

  • ubuntulinux-gcp-4.15

    all

  • ubuntulinux-gcp-5.11

    all

  • ubuntulinux-gcp-5.13

    all

Showing first 50 affected entries in server-rendered view.

References (3)