CVE-2026-31576

Description

In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-24 | Updated 2026-04-27 | Assigner Linux

Product status

References

git.kernel.org/...c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0

git.kernel.org/...c/98a0a81ce78020c2522e0046f49d200de9778cb9

git.kernel.org/...c/07e9e674b6146b1f6fc41b1f54b8968bf2802824

git.kernel.org/...c/2145c71a8044362e82e9923f001ba2aeb771b848

git.kernel.org/...c/fcd1d70792a35c8a97414fe429f48311e41269c2

git.kernel.org/...c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258

cve.org (CVE-2026-31576)

nvd.nist.gov (CVE-2026-31576)

Download JSON