CVE-2026-31689

/* * Conceptual PoC for CVE-2026-31689 * This C code simulates the vulnerable logic flow in the Linux kernel EDAC subsystem. * Triggering the actual crash requires a specific environment (kernel compilation, hardware). */ #include <stdio.h> #include <stdlib.h> // Simulating kernel structures struct kobject { const char *name; int initialized; }; struct device { struct kobject kobj; void (*release)(struct device *dev); }; struct mem_ctl_info { struct device dev; void *pvt_info; }; // Helper to simulate put_device -> kobject_put void kobject_put(struct kobject *kobj) { if (!kobj->initialized) { printf("[VULNERABILITY TRIGGERED] kobject: '(null)': is not initialized, yet kobject_put() is being called.\n"); // In real kernel, this causes a panic/warning } else { printf("kobject released safely.\n"); } } void put_device(struct device *dev) { if (dev && dev->release) dev->release(dev); kobject_put(&dev->kobj); } void device_initialize(struct device *dev) { dev->kobj.initialized = 1; printf("Device initialized.\n"); } // The Vulnerable Function (edac_mc_alloc logic) struct mem_ctl_info* edac_mc_alloc_vulnerable() { struct mem_ctl_info *mci = (struct mem_ctl_info*)malloc(sizeof(struct mem_ctl_info)); if (!mci) return NULL; // 1. Attempt to allocate private info mci->pvt_info = malloc(1024); // Simulate allocation if (!mci->pvt_info) { // 2. Error path reached printf("Allocation failed, entering error path...\n"); // 3. VULNERABILITY: put_device is called BEFORE device_initialize put_device(&mci->dev); free(mci); return NULL; } // This happens AFTER the check in the vulnerable version device_initialize(&mci->dev); return mci; } int main() { printf("Simulating CVE-2026-31689...\n"); // Force allocation failure by passing NULL or simulating OOM // For this demo, we manually trigger the failure path logic struct mem_ctl_info *mci = (struct mem_ctl_info*)malloc(sizeof(struct mem_ctl_info)); mci->pvt_info = NULL; // Simulate alloc failure if (!mci->pvt_info) { put_device(&mci->dev); // Trigger the bug } free(mci); return 0; }

{"cve": {"id": "CVE-2026-31689", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-27T18:16:54.387", "lastModified": "2026-05-06T18:33:39.837", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/mc: Fix error path ordering in edac_mc_alloc()\n\nWhen the mci->pvt_info allocation in edac_mc_alloc() fails, the error path\nwill call put_device() which will end up calling the device's release\nfunction.\n\nHowever, the init ordering is wrong such that device_initialize() happens\n*after* the failed allocation and thus the device itself and the release\nfunction pointer are not initialized yet when they're called:\n\n MCE: In-kernel MCE decoding enabled.\n ------------[ cut here ]------------\n kobject: '(null)': is not initialized, yet kobject_put() is being called.\n WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd\n CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)\n RIP: 0010:kobject_put\n Call Trace:\n <TASK>\n edac_mc_alloc+0xbe/0xe0 [edac_core]\n amd64_edac_init+0x7a4/0xff0 [amd64_edac]\n ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]\n do_one_initcall\n ...\n\nReorder the calling sequence so that the device is initialized and thus the\nrelease function pointer is properly set before it can be used.\n\nThis was found by Claude while reviewing another EDAC patch."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.1.169", "matchCriteriaId": "3AB249AE-837F-4928-AD92-D399D2D3E94A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.135", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.82", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.23", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.13", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/51520e03e70d6c73e33ee7cbe0319767d05764fe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/75825648ce984ca4cebb28e4bd2bf8c3a7e837c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/87ce8ae511962e105bcb3534944208c6a9471ed9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/aae95970fad2127a1bd49d8713c7cd0677dcd2d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d20e98c2df9354cc744431ad8ccbf49405b8b40f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" ... (truncated)