CVE-2026-31578

Source
https://cve.org/CVERecord?id=CVE-2026-31578
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31578.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31578
Downstream
Related
Published
2026-04-24T14:42:09.519Z
Modified
2026-06-18T03:57:05.826093198Z
Summary
media: as102: fix to not free memory after the device is registered in as102_usb_probe()
Details

In the Linux kernel, the following vulnerability has been resolved:

media: as102: fix to not free memory after the device is registered in as102usbprobe()

In as102_usb driver, the following race condition occurs:

        CPU0                        CPU1
as102_usb_probe()
  kzalloc(); // alloc as102_dev_t
  ....
  usb_register_dev();
                        fd = sys_open("/path/to/dev"); // open as102 fd
                        ....
  usb_deregister_dev();
  ....
  kfree(); // free as102_dev_t
  ....
                        sys_close(fd);
                          as102_release() // UAF!!
                            as102_usb_release()
                              kfree(); // DFB!!

When a USB character device registered with usbregisterdev() is later unregistered (via usbderegisterdev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked.

In as102, as102usbprobe() calls usbregisterdev() and then, on an error path, does usbderegisterdev() and frees as102devt right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102release() --> as102usbrelease() and access or free as102dev_t again, occur a race to use-after-free and double-free vuln.

The fix is to never kfree(as102devt) directly once usbregisterdev() has succeeded. After deregistration, defer freeing memory to .release().

In other words, let release() perform the last kfree when the final open FD is closed.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31578.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c
Fixed
0d36653a3a821e5a974798adb347b3ea09332914
Fixed
25d500cf391e384356a612b85cf60b353ad3cd0c
Fixed
07ceb444c8f627cf863864d4274b5a77769725ed
Fixed
cb8092038e95dc1113a68e63762de40fff61ba71
Fixed
582fbecb3756330006fe1950762412a68c2cacd2
Fixed
09e9206008b887aa553733bd915d73131071a086
Fixed
2eeae47a438694408189138048a786be99954032
Fixed
7e5aedf6059cba2a669d86caeaf5a51f33ec85a1
Fixed
8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31578.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.14.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31578.json"