CVE-2026-31576

HIGH EPSS 2.8%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel* <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/131ec9046e1c8af101aebdaec4e8095e05f3312b
  • git.kernel.org https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/67fd62e3efdc9dce01f76d95a745212f4feb38e6
  • git.kernel.org https://git.kernel.org/stable/c/87b9685cca91ed715c39ba544715832d26a7f4b4
  • git.kernel.org https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2
    Patch