CVE-2026-31650
Published: 24 April 2026
Summary
CVE-2026-31650 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by requiring timely application of the kernel patch that reverts controller allocation to non-managed and corrects lifetime management tied to the USB interface.
Implements memory protection safeguards like reference counting validation and memory pool management to prevent use-after-free errors in kernel drivers such as vub300 during unbind or disconnect.
Enforces least functionality by disabling or restricting unnecessary kernel drivers like vub300, preventing the loading of the vulnerable component and associated exploitation during probe or unbind.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in vub300 driver enables arbitrary code execution from low-privileged context, directly mapping to exploitation for privilege escalation (T1068) with high impact on confidentiality/integrity/availability.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix use-after-free on disconnect The vub300 driver maintains an explicit reference count for the controller and its driver data and the last reference can in theory be dropped…
more
after the driver has been unbound. This specifically means that the controller allocation must not be device managed as that can lead to use-after-free. Note that the lifetime is currently also incorrectly tied the parent USB device rather than interface, which can lead to memory leaks if the driver is unbound without its device being physically disconnected (e.g. on probe deferral). Fix both issues by reverting to non-managed allocation of the controller.
Deeper analysisAI
CVE-2026-31650 is a use-after-free vulnerability in the Linux kernel's vub300 driver within the MMC subsystem. The issue arises because the driver maintains an explicit reference count for the controller and its driver data, but the controller allocation was device-managed, which can lead to use-after-free when the last reference is dropped after the driver is unbound. Additionally, the controller's lifetime was incorrectly tied to the parent USB device rather than the interface, potentially causing memory leaks during unbinding without physical disconnection, such as probe deferral.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes via crafted operations during driver disconnect or unbind scenarios.
The provided patch references from kernel.org stable branches resolve the issues by reverting the controller allocation to non-managed, preventing use-after-free, and correcting the lifetime management to tie it to the USB interface rather than the parent device, which also addresses related memory leaks. Security practitioners should apply these kernel stable updates to affected systems using the vub300 driver.
Details
- CWE(s)