Cyber Resilience

CVE-2026-31769

High

Published: 01 May 2026

Published
01 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31769 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31769 is a use-after-free vulnerability in the Linux kernel's gpib (General Purpose Interface Bus) driver. The issue affects the IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers, which obtain a gpib_descriptor pointer via handle_to_descriptor() and continue using it after releasing the board->big_gpib_mutex lock. A concurrent IBCLOSEDEV ioctl can free the descriptor through close_dev_ioctl() during this unprotected window, leading to the use-after-free condition.

A local attacker with low privileges (PR:L) who can access the gpib device can exploit this vulnerability by issuing concurrent ioctl calls from different threads. For example, one thread performs an IO operation (releasing the mutex), while another closes the device handle, triggering the UAF on the descriptor pointer. Successful exploitation can result in high impacts on confidentiality, integrity, and availability (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or denial of service.

The provided patch commits introduce a kernel-only descriptor_busy reference count in struct gpib_descriptor to mitigate the issue. Each affected handler atomically increments descriptor_busy under file_priv->descriptors_mutex before releasing big_gpib_mutex and decrements it upon completion. The close_dev_ioctl() function checks descriptor_busy under the same mutex and rejects the close with -EBUSY if the count is non-zero. A reference count is used instead of a flag to handle concurrent operations on the same descriptor (e.g., IBRD and IBWAIT from different threads), and it is separate from io_in_progress to prevent bypass via unprivileged IBWAIT calls. The fix maintains consistent lock ordering (big_gpib_mutex before descriptors_mutex) with minimal performance impact.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: gpib: fix use-after-free in IO ioctl handlers The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor pointer after board->big_gpib_mutex has been released. A concurrent IBCLOSEDEV ioctl can free…

more

the descriptor via close_dev_ioctl() during this window, causing a use-after-free. The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly release big_gpib_mutex before calling their handler. wait_ioctl() is called with big_gpib_mutex held, but ibwait() releases it internally when wait_mask is non-zero. In all four cases, the descriptor pointer obtained from handle_to_descriptor() becomes unprotected. Fix this by introducing a kernel-only descriptor_busy reference count in struct gpib_descriptor. Each handler atomically increments descriptor_busy under file_priv->descriptors_mutex before releasing the lock, and decrements it when done. close_dev_ioctl() checks descriptor_busy under the same lock and rejects the close with -EBUSY if the count is non-zero. A reference count rather than a simple flag is necessary because multiple handlers can operate on the same descriptor concurrently (e.g. IBRD and IBWAIT on the same handle from different threads). A separate counter is needed because io_in_progress can be cleared from unprivileged userspace via the IBWAIT ioctl (through general_ibstatus() with set_mask containing CMPL), which would allow an attacker to bypass a check based solely on io_in_progress. The new descriptor_busy counter is only modified by the kernel IO paths. The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex) and the handlers only hold descriptors_mutex briefly during the lookup, so there is no deadlock risk and no impact on IO throughput.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in gpib ioctl handlers (IBRD/IBWRT/etc.) is directly exploitable by a low-privileged user with device access via concurrent calls, yielding arbitrary code execution and full privilege escalation (C/I/A high impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.13 — 6.18.22 · 6.19 — 6.19.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, prioritization, and remediation of the use-after-free flaw in the gpib driver, directly preventing exploitation via patching.

prevent

Prohibits or restricts nonessential kernel modules like gpib when not required, eliminating exposure to this device driver-specific race condition and ioctl handlers.

prevent

Deploys memory protection mechanisms such as address space layout randomization and supervisor mode execution prevention to mitigate exploitation of the use-after-free on the gpib_descriptor.

References