CVE-2026-31582
Published: 24 April 2026
Summary
CVE-2026-31582 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31582 is a use-after-free vulnerability in the Linux kernel's hwmon subsystem, specifically the powerz driver for USB power monitoring devices. The issue occurs when powerz_disconnect() frees the URB (USB Request Block) and releases the mutex, allowing a subsequent powerz_read() call to acquire the mutex and invoke powerz_read_data(), which dereferences the already-freed URB pointer. This flaw, classified under CWE-416, carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering a USB disconnect event on a powerz device while concurrently attempting read operations. Successful exploitation could lead to arbitrary code execution, data corruption, or kernel crashes, as the use-after-free allows manipulation of freed memory, potentially granting high confidentiality, integrity, and availability impacts.
The provided kernel patch commits detail the mitigation steps: setting priv->urb to NULL in powerz_disconnect() to indicate disconnection, adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV for disconnected devices, and relocating usb_set_intfdata() before hwmon registration to ensure the disconnect handler can reliably access the priv pointer. Security practitioners should apply the relevant stable kernel updates from the referenced git commits to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25475
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dereferences the…
more
freed URB pointer. Fix by: - Setting priv->urb to NULL in powerz_disconnect() so that powerz_read_data() can detect the disconnected state. - Adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV on a disconnected device. - Moving usb_set_intfdata() before hwmon registration so the disconnect handler can always find the priv pointer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in USB/hwmon driver directly provides arbitrary code execution primitive for privilege escalation from low-privileged user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability in the powerz driver by requiring timely application of the kernel patch that nulls the URB pointer, adds disconnect checks, and ensures proper interface data handling.
Implements memory protection mechanisms like address space layout randomization and data execution prevention to mitigate exploitation of the use-after-free dereference in powerz_read_data.
Vulnerability scanning identifies systems with vulnerable Linux kernel versions affected by CVE-2026-31582, enabling proactive remediation before local exploitation via USB disconnect races.