CVE-2026-31587
Published: 24 April 2026
Summary
CVE-2026-31587 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31587 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ASoC (ALSA System on Chip) subsystem, specifically the Qualcomm q6apm driver. The issue arises when the q6apm component dynamically registers DAI (Digital Audio Interface) elements from ASoC topology using device-managed allocation APIs. This leads to incorrect free ordering, where DAIs are freed while the component still holds references to them, as detected by KASAN in snd_soc_del_component_unlocked during component cleanup triggered by APR/PDR notifier workqueues. The vulnerability affects Linux kernels on Qualcomm platforms, with a reported instance on Lenovo hardware running BIOS N42ET57W.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.8. Exploitation occurs during device unbinding or removal, such as in response to platform driver status changes via PDR notifiers, potentially allowing the attacker to trigger the use-after-free in kernel audio component handling. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), enabling kernel memory corruption, denial of service, or potential privilege escalation.
Mitigation is provided through upstream kernel patches available in the stable tree, including commits such as 30383b7780ffa140bc124de5b66cae7c84133dbb, 6ec1235fc941dac6c011b30ee01d9220ff87e0cd, 887632163b546a8944b46ef465f1d74e838b727a, a561a55b79a9c55f0443377f2d4dcf6149d057af, and b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2. These patches resolve the issue by shifting q6apm component registration to the unmanaged version, ensuring DAI pointers are freed only after component removal. Security practitioners should apply these stable updates to affected kernels on Qualcomm-based systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25480
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm: move component registration to unmanaged version q6apm component registers dais dynamically from ASoC toplology, which are allocated using device managed version apis. Allocating both component and dynamic…
more
dais using managed version could lead to incorrect free ordering, dai will be freed while component still holding references to it. Fix this issue by moving component to unmanged version so that the dai pointers are only freeded after the component is removed. ================================================================== BUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426 Tainted: [W]=WARN Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024 Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] Call trace: show_stack+0x28/0x7c (C) dump_stack_lvl+0x60/0x80 print_report+0x160/0x4b4 kasan_report+0xac/0xfc __asan_report_load8_noabort+0x20/0x34 snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core] devm_component_release+0x30/0x5c [snd_soc_core] devres_release_all+0x13c/0x210 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x350/0x468 device_release_driver+0x18/0x30 bus_remove_device+0x1a0/0x35c device_del+0x314/0x7f0 device_unregister+0x20/0xbc apr_remove_device+0x5c/0x7c [apr] device_for_each_child+0xd8/0x160 apr_pd_status+0x7c/0xa8 [apr] pdr_notifier_work+0x114/0x240 [pdr_interface] process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20 Allocated by task 77: kasan_save_stack+0x40/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x44/0x58 __kasan_kmalloc+0xbc/0xdc __kmalloc_node_track_caller_noprof+0x1f4/0x620 devm_kmalloc+0x7c/0x1c8 snd_soc_register_dai+0x50/0x4f0 [snd_soc_core] soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core] snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core] audioreach_tplg_init+0x124/0x1fc [snd_q6apm] q6apm_audio_probe+0x10/0x1c [snd_q6apm] snd_soc_component_probe+0x5c/0x118 [snd_soc_core] soc_probe_component+0x44c/0xaf0 [snd_soc_core] snd_soc_bind_card+0xad0/0x2370 [snd_soc_core] snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core] devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core] x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100] platform_probe+0xc0/0x188 really_probe+0x188/0x804 __driver_probe_device+0x158/0x358 driver_probe_device+0x60/0x190 __device_attach_driver+0x16c/0x2a8 bus_for_each_drv+0x100/0x194 __device_attach+0x174/0x380 device_initial_probe+0x14/0x20 bus_probe_device+0x124/0x154 deferred_probe_work_func+0x140/0x220 process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20 Freed by task 3426: kasan_save_stack+0x40/0x68 kasan_save_track+0x20/0x40 __kasan_save_free_info+0x4c/0x80 __kasan_slab_free+0x78/0xa0 kfree+0x100/0x4a4 devres_release_all+0x144/0x210 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x350/0x468 device_release_driver+0x18/0x30 bus_remove_device+0x1a0/0x35c device_del+0x314/0x7f0 device_unregister+0x20/0xbc apr_remove_device+0x5c/0x7c [apr] device_for_each_child+0xd8/0x160 apr_pd_status+0x7c/0xa8 [apr] pdr_notifier_work+0x114/0x240 [pdr_interface] process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel use-after-free in Qualcomm ASoC driver enables local privilege escalation via memory corruption during device unbind/PDR events.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires patching the use-after-free flaw in the q6apm driver as provided by upstream kernel commits to eliminate the vulnerability.
Vulnerability scanning identifies the kernel CVE-2026-31587, triggering remediation to apply fixes before local exploitation.
Memory protection mechanisms restrict unauthorized access to freed DAI pointers during component cleanup, hindering UAF exploitation.