CVE-2026-31489
Published: 22 April 2026
Summary
CVE-2026-31489 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of the double-free vulnerability in the Linux kernel's meson-spicc driver as specified in the stable kernel commits.
Provides vulnerability scanning to identify the CVE-2026-31489 double-put issue in affected Linux kernel versions.
Implements memory protections such as non-executable memory and address randomization to mitigate exploitation of the double-free leading to code execution or crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel double-free (CWE-415) in meson-spicc driver directly enables exploitation by low-privileged attacker for arbitrary code execution and privilege escalation (high C/I/A impact).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_remove() causes a…
more
double-put.
Deeper analysisAI
CVE-2026-31489 is a vulnerability in the Linux kernel's meson-spicc SPI controller driver. The issue arises because meson_spicc_probe() registers the controller using devm_spi_register_controller(), which handles reference dropping via devm cleanup during teardown. However, meson_spicc_remove() calls spi_controller_put() again, resulting in a double-put of the controller reference. This flaw is classified under CWE-415 (Double Free) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability, potentially enabling kernel crashes, denial of service, or more severe effects like arbitrary code execution through the double-free error.
Mitigation involves applying the relevant stable kernel patches, as detailed in the following commit references: https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2, https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f, https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5, and https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6. Security practitioners should update affected Linux kernels to versions incorporating these fixes.
Details
- CWE(s)