Cyber Resilience

CVE-2026-31758

High

Published: 01 May 2026

Published
01 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31758 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31758 is a use-after-free vulnerability in the Linux kernel's USBTMC (USB Test and Measurement Class) driver. The issue arises during the usbtmc_release function, where pending anchored URBs are not flushed or killed, potentially leading to use-after-free errors, such as in the host controller driver (HCD) giveback path. This affects Linux kernel versions prior to the application of the relevant stable patches.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering the usbtmc_release call while anchored URBs remain pending, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability through memory corruption.

Mitigation requires updating to a Linux kernel version that includes the fixing commits from the stable tree, such as 7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f, 8a768552f7a8276fb9e01d49773d2094ace7c8f1, 959ef329071136e4335b54822fe2f607659b4569, 95e09b07e50290254b28b8395509473104518f8c, and 977b632db51d231dec0bc571089a5c2402674139. These patches resolve the issue by calling usbtmc_draw_down() in usbtmc_release to properly complete anchored URBs.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down()…

more

to allow anchored URBs to be completed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in USBTMC driver directly enables memory corruption for privilege escalation (T1068) by a low-privileged attacker with no user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 4.19 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly remediates the use-after-free vulnerability by requiring identification, reporting, and application of kernel patches that flush anchored URBs in usbtmc_release.

prevent

Provides memory protections such as execute restrictions and page permissions that directly mitigate exploitation of use-after-free errors in the USBTMC kernel driver.

prevent

Prevents exposure to the vulnerable USBTMC driver by restricting or prohibiting non-essential kernel modules and functionality.

References