CVE-2026-31475
Published: 22 April 2026
Summary
CVE-2026-31475 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the double free vulnerability by applying Linux kernel patches that eliminate the erroneous manual kfree() loop on devm_kzalloc() memory in the sma1307_setting_loaded() function.
Prevents exploitation of the sma1307 driver vulnerability by prohibiting or disabling its loading and execution when the associated audio hardware is not required.
Mitigates memory corruption from double free errors through kernel memory protections like slab freelist randomization and hardened allocators.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in Linux kernel driver provides local low-priv attacker with arbitrary kernel code execution, directly enabling privilege escalation to root.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: fix double free of devm_kzalloc() memory A previous change added NULL checks and cleanup for allocation failures in sma1307_setting_loaded(). However, the cleanup for mode_set entries is wrong. Those…
more
entries are allocated with devm_kzalloc(), so they are device-managed resources and must not be freed with kfree(). Manually freeing them in the error path can lead to a double free when devres later releases the same memory. Drop the manual kfree() loop and let devres handle the cleanup.
Deeper analysisAI
CVE-2026-31475 is a double free vulnerability (CWE-415) in the Linux kernel's ASoC sma1307 driver. The issue stems from a prior change in the sma1307_setting_loaded() function that introduced incorrect cleanup logic: it added NULL checks and manual kfree() calls on memory allocated via devm_kzalloc(), which is a device-managed allocation. This leads to a double free when the kernel's devres subsystem later automatically releases the same memory during device cleanup.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires local access with low privileges and low complexity, with no user interaction needed. A successful attacker could achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or kernel crashes in affected systems using the sma1307 driver.
Mitigation is addressed in Linux kernel stable patches, such as those referenced in commits 1a82c3272626db9006f4c2cad3adf2916417aed6, d472d1a52985211b92883bb64bbe710b45980190, and fe757092d2329c397ecb32f2bf68a5b1c4bd9193 on git.kernel.org. These patches remove the erroneous manual kfree() loop in the error path of sma1307_setting_loaded(), relying instead on devres for proper cleanup of the devm_kzalloc() resources.
Details
- CWE(s)