Cyber Resilience

CVE-2026-31578

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31578 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31578 is a race condition vulnerability in the Linux kernel's as102_usb driver within the media subsystem. The issue arises during the as102_usb_probe() function, where memory for an as102_dev_t structure is allocated, the USB character device is registered via usb_register_dev(), and then on an error path, the device is immediately deregistered with usb_deregister_dev() followed by a direct kfree() of the structure. This creates a window where a concurrent open() by userspace can obtain a valid file descriptor before deregistration, leading to a use-after-free (UAF) and potential double-free (DFB) when the file descriptor's .release() callback (as102_release() -> as102_usb_release()) is later invoked on the already-freed memory. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by racing to open the /dev node corresponding to the as102 USB device immediately after usb_register_dev() succeeds but before the probe error path executes usb_deregister_dev() and kfree(). If successful, the attacker's open file descriptor remains valid post-deregistration, and upon closing it, the driver's release callback accesses or frees the already-freed as102_dev_t structure, enabling UAF or DFB. This can result in arbitrary code execution, memory corruption, or kernel crashes, granting high confidentiality, integrity, and availability impacts within the local attack surface.

The provided kernel patch references detail the mitigation, which modifies as102_usb_probe() to avoid direct kfree() of as102_dev_t after a successful usb_register_dev(). Instead, memory freeing is deferred to the driver's .release() callback, ensuring it occurs only after all open file descriptors are closed and the final reference is dropped. These fixes are available in stable kernel commits such as 09e9206008b887aa553733bd915d73131071a086, 2eeae47a438694408189138048a786be99954032, and others listed.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t…

more

.... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF/DFB race in USB driver probe enables low-priv arbitrary code execution and memory corruption, directly mapping to exploitation for privilege escalation on Linux.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 6.6.136 · 6.7 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific race condition causing UAF/DFB in the as102_usb driver via kernel patching.

prevent

Prohibits loading of unnecessary kernel drivers like as102_usb, eliminating exposure to the probe race vulnerability.

prevent

Implements kernel memory protections such as KASLR and slab allocators to mitigate exploitation of the UAF/DFB even if the race occurs.

References