CVE-2026-31527

When a driver is probed through __driverattach(), the bus' match() callback is called without the device lock held, thus accessing the driveroverride field without a lock, which can cause a UAF.

Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally.

Note that calling match() from _driverattach() without the device lock held is intentional. [1]

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31527.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3d713e0e382e6fcfb4bba1501645b66c129ad60b

Fixed

9a6086d2a828dd2ff74cf9abcae456670febd71f

Fixed

7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1

Fixed

edee7ee5a14c3b33f6d54641f5af5c5e9180992d

Fixed

2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31527.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0

Fixed

6.12.80

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.21

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.11

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31527.json"