In the Linux kernel, the following vulnerability has been resolved:
media: as102: fix to not free memory after the device is registered in as102usbprobe()
In as102_usb driver, the following race condition occurs:
CPU0 CPU1
as102_usb_probe()
kzalloc(); // alloc as102_dev_t
....
usb_register_dev();
fd = sys_open("/path/to/dev"); // open as102 fd
....
usb_deregister_dev();
....
kfree(); // free as102_dev_t
....
sys_close(fd);
as102_release() // UAF!!
as102_usb_release()
kfree(); // DFB!!
When a USB character device registered with usbregisterdev() is later unregistered (via usbderegisterdev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked.
In as102, as102usbprobe() calls usbregisterdev() and then, on an error path, does usbderegisterdev() and frees as102devt right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102release() --> as102usbrelease() and access or free as102dev_t again, occur a race to use-after-free and double-free vuln.
The fix is to never kfree(as102devt) directly once usbregisterdev() has succeeded. After deregistration, defer freeing memory to .release().
In other words, let release() perform the last kfree when the final open FD is closed.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31578.json",
"cna_assigner": "Linux"
}