CVE-2026-31530
Published: 22 April 2026
Summary
CVE-2026-31530 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-31530 is a use-after-free vulnerability in the Linux kernel's CXL (Compute Express Link) subsystem, specifically within the cxl/port code. The issue occurs in the cxl_detach_ep() function during bottom-up removal of CXL memory devices beneath a switch port. In this process, the function locks both the port and its parent_port, removes the endpoint, and may unregister the port if empty. However, parent_port can be freed prematurely due to concurrent detach operations or cascading unregistrations in delete_switch_port(), leading to use-after-free when unlocking or accessing it afterward. This manifests as silent memory corruption or lock debugging warnings in production kernels.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N). Exploitation is feasible during CXL port detachment scenarios, such as reloading cxl_acpi with CXL devices present in environments like QEMU. Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), including kernel memory corruption that might enable privilege escalation, denial of service, or arbitrary code execution, as indicated by the CVSS v3.1 score of 7.8.
Mitigation involves applying upstream kernel patches from the provided stable commit references, which establish a lifetime rule by having child ports hold a reference to their parent device upon allocation and release it only upon child release. This ensures parent_port remains valid throughout the child's lifetime, closing the use-after-free window in cxl_detach_ep(). Systems using affected kernel versions with CXL hardware should update to a patched kernel promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24925
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use after free of parent_port in cxl_detach_ep() cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port…
more
in the hierarchy it locks both the port and its parent, removes the endpoint, and if the port is now empty, marks it dead and unregisters the port by calling delete_switch_port(). There are two places during this work where the parent_port may be used after freeing: First, a concurrent detach may have already processed a port by the time a second worker finds it via bus_find_device(). Without pinning parent_port, it may already be freed when we discover port->dead and attempt to unlock the parent_port. In a production kernel that's a silent memory corruption, with lock debug, it looks like this: []DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current()) []WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310 []Call Trace: []mutex_unlock+0xd/0x20 []cxl_detach_ep+0x180/0x400 [cxl_core] []devm_action_release+0x10/0x20 []devres_release_all+0xa8/0xe0 []device_unbind_cleanup+0xd/0xa0 []really_probe+0x1a6/0x3e0 Second, delete_switch_port() releases three devm actions registered against parent_port. The last of those is unregister_port() and it calls device_unregister() on the child port, which can cascade. If parent_port is now also empty the device core may unregister and free it too. So by the time delete_switch_port() returns, parent_port may be free, and the subsequent device_unlock(&parent_port->dev) operates on freed memory. The kernel log looks same as above, with a different offset in cxl_detach_ep(). Both of these issues stem from the absence of a lifetime guarantee between a child port and its parent port. Establish a lifetime rule for ports: child ports hold a reference to their parent device until release. Take the reference when the port is allocated and drop it when released. This ensures the parent is valid for the full lifetime of the child and eliminates the use after free window in cxl_detach_ep(). This is easily reproduced with a reload of cxl_acpi in QEMU with CXL devices present.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Linux kernel CXL code enables local memory corruption leading directly to privilege escalation or arbitrary kernel code execution (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of flaws like this use-after-free in CXL port detachment by applying kernel patches.
Implements kernel memory protections such as page permissions and isolation to mitigate exploitation of use-after-free vulnerabilities during device detachment.
Requires receiving and acting on vendor security alerts and directives for kernel CVEs like CVE-2026-31530 to enable prompt flaw remediation.