CVE-2026-31527
Published: 22 April 2026
Summary
CVE-2026-31527 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31527 is a Use After Free (UAF) vulnerability (CWE-416) in the Linux kernel's driver core platform code. The issue arises during driver probing via __driver_attach(), where the bus' match() callback accesses the driver_override field without the device lock held, potentially leading to a UAF. This affects Linux kernel versions prior to the application of the relevant stable patches.
A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AC:L/UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at 7.8 by CVSS 3.1 with no scope change (S:U).
Mitigation involves applying kernel patches that refactor the platform driver to use the generic driver-core driver_override infrastructure, which internally manages proper locking during match() callbacks. Relevant fixes are documented in the following stable kernel commits: https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d, https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1, https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f, and https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d. Note that calling match() without the device lock is intentional behavior.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24919
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field…
more
without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF during driver probing enables memory corruption leading to arbitrary code execution and privilege escalation from low-privileged user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation through kernel patches that fix the UAF by implementing proper locking for driver_override access during probing.
Enforces kernel memory protections to prevent unauthorized access, modification, or execution of freed memory exploited in this driver core UAF.
Monitors kernel software integrity to detect execution anomalies or unauthorized changes triggered by successful UAF exploitation.