Cyber Resilience

CVE-2026-31527

HighUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31527 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31527 is a Use After Free (UAF) vulnerability (CWE-416) in the Linux kernel's driver core platform code. The issue arises during driver probing via __driver_attach(), where the bus' match() callback accesses the driver_override field without the device lock held, potentially leading to a UAF. This affects Linux kernel versions prior to the application of the relevant stable patches.

A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AC:L/UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at 7.8 by CVSS 3.1 with no scope change (S:U).

Mitigation involves applying kernel patches that refactor the platform driver to use the generic driver-core driver_override infrastructure, which internally manages proper locking during match() callbacks. Relevant fixes are documented in the following stable kernel commits: https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d, https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1, https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f, and https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d. Note that calling match() without the device lock is intentional behavior.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field…

more

without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF during driver probing enables memory corruption leading to arbitrary code execution and privilege escalation from low-privileged user context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 3.17 — 6.12.80 · 6.13 — 6.18.21 · 6.19 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation through kernel patches that fix the UAF by implementing proper locking for driver_override access during probing.

prevent

Enforces kernel memory protections to prevent unauthorized access, modification, or execution of freed memory exploited in this driver core UAF.

detect

Monitors kernel software integrity to detect execution anomalies or unauthorized changes triggered by successful UAF exploitation.

References