CVE-2026-31758
Published: 01 May 2026
Summary
CVE-2026-31758 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31758 is a use-after-free vulnerability in the Linux kernel's USBTMC (USB Test and Measurement Class) driver. The issue arises during the usbtmc_release function, where pending anchored URBs are not flushed or killed, potentially leading to use-after-free errors, such as in the host controller driver (HCD) giveback path. This affects Linux kernel versions prior to the application of the relevant stable patches.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering the usbtmc_release call while anchored URBs remain pending, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability through memory corruption.
Mitigation requires updating to a Linux kernel version that includes the fixing commits from the stable tree, such as 7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f, 8a768552f7a8276fb9e01d49773d2094ace7c8f1, 959ef329071136e4335b54822fe2f607659b4569, 95e09b07e50290254b28b8395509473104518f8c, and 977b632db51d231dec0bc571089a5c2402674139. These patches resolve the issue by calling usbtmc_draw_down() in usbtmc_release to properly complete anchored URBs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26571
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down()…
more
to allow anchored URBs to be completed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in USBTMC driver directly enables memory corruption for privilege escalation (T1068) by a low-privileged attacker with no user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability by requiring identification, reporting, and application of kernel patches that flush anchored URBs in usbtmc_release.
Provides memory protections such as execute restrictions and page permissions that directly mitigate exploitation of use-after-free errors in the USBTMC kernel driver.
Prevents exposure to the vulnerable USBTMC driver by restricting or prohibiting non-essential kernel modules and functionality.