Cyber Resilience

CVE-2026-31650

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31650 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31650 is a use-after-free vulnerability in the Linux kernel's vub300 driver within the MMC subsystem. The issue arises because the driver maintains an explicit reference count for the controller and its driver data, but the controller allocation was device-managed, which can lead to use-after-free when the last reference is dropped after the driver is unbound. Additionally, the controller's lifetime was incorrectly tied to the parent USB device rather than the interface, potentially causing memory leaks during unbinding without physical disconnection, such as probe deferral.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes via crafted operations during driver disconnect or unbind scenarios.

The provided patch references from kernel.org stable branches resolve the issues by reverting the controller allocation to non-managed, preventing use-after-free, and correcting the lifetime management to tie it to the USB interface rather than the parent device, which also addresses related memory leaks. Security practitioners should apply these kernel stable updates to affected systems using the vub300 driver.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix use-after-free on disconnect The vub300 driver maintains an explicit reference count for the controller and its driver data and the last reference can in theory be dropped…

more

after the driver has been unbound. This specifically means that the controller allocation must not be device managed as that can lead to use-after-free. Note that the lifetime is currently also incorrectly tied the parent USB device rather than interface, which can lead to memory leaks if the driver is unbound without its device being physically disconnected (e.g. on probe deferral). Fix both issues by reverting to non-managed allocation of the controller.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in vub300 driver enables arbitrary code execution from low-privileged context, directly mapping to exploitation for privilege escalation (T1068) with high impact on confidentiality/integrity/availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel
CVE-2026-23077Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.17, 7.0 · 6.17.1 — 6.18.23 · 6.19 — 6.19.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely application of the kernel patch that reverts controller allocation to non-managed and corrects lifetime management tied to the USB interface.

prevent

Implements memory protection safeguards like reference counting validation and memory pool management to prevent use-after-free errors in kernel drivers such as vub300 during unbind or disconnect.

prevent

Enforces least functionality by disabling or restricting unnecessary kernel drivers like vub300, preventing the loading of the vulnerable component and associated exploitation during probe or unbind.

References