CVE-2026-31769
Published: 01 May 2026
Summary
CVE-2026-31769 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31769 is a use-after-free vulnerability in the Linux kernel's gpib (General Purpose Interface Bus) driver. The issue affects the IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers, which obtain a gpib_descriptor pointer via handle_to_descriptor() and continue using it after releasing the board->big_gpib_mutex lock. A concurrent IBCLOSEDEV ioctl can free the descriptor through close_dev_ioctl() during this unprotected window, leading to the use-after-free condition.
A local attacker with low privileges (PR:L) who can access the gpib device can exploit this vulnerability by issuing concurrent ioctl calls from different threads. For example, one thread performs an IO operation (releasing the mutex), while another closes the device handle, triggering the UAF on the descriptor pointer. Successful exploitation can result in high impacts on confidentiality, integrity, and availability (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or denial of service.
The provided patch commits introduce a kernel-only descriptor_busy reference count in struct gpib_descriptor to mitigate the issue. Each affected handler atomically increments descriptor_busy under file_priv->descriptors_mutex before releasing big_gpib_mutex and decrements it upon completion. The close_dev_ioctl() function checks descriptor_busy under the same mutex and rejects the close with -EBUSY if the count is non-zero. A reference count is used instead of a flag to handle concurrent operations on the same descriptor (e.g., IBRD and IBWAIT from different threads), and it is separate from io_in_progress to prevent bypass via unprivileged IBWAIT calls. The fix maintains consistent lock ordering (big_gpib_mutex before descriptors_mutex) with minimal performance impact.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26582
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: gpib: fix use-after-free in IO ioctl handlers The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor pointer after board->big_gpib_mutex has been released. A concurrent IBCLOSEDEV ioctl can free…
more
the descriptor via close_dev_ioctl() during this window, causing a use-after-free. The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly release big_gpib_mutex before calling their handler. wait_ioctl() is called with big_gpib_mutex held, but ibwait() releases it internally when wait_mask is non-zero. In all four cases, the descriptor pointer obtained from handle_to_descriptor() becomes unprotected. Fix this by introducing a kernel-only descriptor_busy reference count in struct gpib_descriptor. Each handler atomically increments descriptor_busy under file_priv->descriptors_mutex before releasing the lock, and decrements it when done. close_dev_ioctl() checks descriptor_busy under the same lock and rejects the close with -EBUSY if the count is non-zero. A reference count rather than a simple flag is necessary because multiple handlers can operate on the same descriptor concurrently (e.g. IBRD and IBWAIT on the same handle from different threads). A separate counter is needed because io_in_progress can be cleared from unprivileged userspace via the IBWAIT ioctl (through general_ibstatus() with set_mask containing CMPL), which would allow an attacker to bypass a check based solely on io_in_progress. The new descriptor_busy counter is only modified by the kernel IO paths. The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex) and the handlers only hold descriptors_mutex briefly during the lookup, so there is no deadlock risk and no impact on IO throughput.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in gpib ioctl handlers (IBRD/IBWRT/etc.) is directly exploitable by a low-privileged user with device access via concurrent calls, yielding arbitrary code execution and full privilege escalation (C/I/A high impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, prioritization, and remediation of the use-after-free flaw in the gpib driver, directly preventing exploitation via patching.
Prohibits or restricts nonessential kernel modules like gpib when not required, eliminating exposure to this device driver-specific race condition and ioctl handlers.
Deploys memory protection mechanisms such as address space layout randomization and supervisor mode execution prevention to mitigate exploitation of the use-after-free on the gpib_descriptor.