Cyber Resilience

CVE-2026-31530

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31530 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-31530 is a use-after-free vulnerability in the Linux kernel's CXL (Compute Express Link) subsystem, specifically within the cxl/port code. The issue occurs in the cxl_detach_ep() function during bottom-up removal of CXL memory devices beneath a switch port. In this process, the function locks both the port and its parent_port, removes the endpoint, and may unregister the port if empty. However, parent_port can be freed prematurely due to concurrent detach operations or cascading unregistrations in delete_switch_port(), leading to use-after-free when unlocking or accessing it afterward. This manifests as silent memory corruption or lock debugging warnings in production kernels.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N). Exploitation is feasible during CXL port detachment scenarios, such as reloading cxl_acpi with CXL devices present in environments like QEMU. Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), including kernel memory corruption that might enable privilege escalation, denial of service, or arbitrary code execution, as indicated by the CVSS v3.1 score of 7.8.

Mitigation involves applying upstream kernel patches from the provided stable commit references, which establish a lifetime rule by having child ports hold a reference to their parent device upon allocation and release it only upon child release. This ensures parent_port remains valid throughout the child's lifetime, closing the use-after-free window in cxl_detach_ep(). Systems using affected kernel versions with CXL hardware should update to a patched kernel promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use after free of parent_port in cxl_detach_ep() cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port…

more

in the hierarchy it locks both the port and its parent, removes the endpoint, and if the port is now empty, marks it dead and unregisters the port by calling delete_switch_port(). There are two places during this work where the parent_port may be used after freeing: First, a concurrent detach may have already processed a port by the time a second worker finds it via bus_find_device(). Without pinning parent_port, it may already be freed when we discover port->dead and attempt to unlock the parent_port. In a production kernel that's a silent memory corruption, with lock debug, it looks like this: []DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current()) []WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310 []Call Trace: []mutex_unlock+0xd/0x20 []cxl_detach_ep+0x180/0x400 [cxl_core] []devm_action_release+0x10/0x20 []devres_release_all+0xa8/0xe0 []device_unbind_cleanup+0xd/0xa0 []really_probe+0x1a6/0x3e0 Second, delete_switch_port() releases three devm actions registered against parent_port. The last of those is unregister_port() and it calls device_unregister() on the child port, which can cascade. If parent_port is now also empty the device core may unregister and free it too. So by the time delete_switch_port() returns, parent_port may be free, and the subsequent device_unlock(&parent_port->dev) operates on freed memory. The kernel log looks same as above, with a different offset in cxl_detach_ep(). Both of these issues stem from the absence of a lifetime guarantee between a child port and its parent port. Establish a lifetime rule for ports: child ports hold a reference to their parent device until release. Take the reference when the port is allocated and drop it when released. This ensures the parent is valid for the full lifetime of the child and eliminates the use after free window in cxl_detach_ep(). This is easily reproduced with a reload of cxl_acpi in QEMU with CXL devices present.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in Linux kernel CXL code enables local memory corruption leading directly to privilege escalation or arbitrary kernel code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel
CVE-2026-23077Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.3 — 6.12.80 · 6.13 — 6.18.21 · 6.19 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws like this use-after-free in CXL port detachment by applying kernel patches.

prevent

Implements kernel memory protections such as page permissions and isolation to mitigate exploitation of use-after-free vulnerabilities during device detachment.

detectrespond

Requires receiving and acting on vendor security alerts and directives for kernel CVEs like CVE-2026-31530 to enable prompt flaw remediation.

References