GHSA-WRGV-V45W-6GXV

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-24 15:32
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

media: as102: fix to not free memory after the device is registered in as102_usb_probe()

In as102_usb driver, the following race condition occurs:

        CPU0                        CPU1
as102_usb_probe()
  kzalloc(); // alloc as102_dev_t
  ....
  usb_register_dev();
                        fd = sys_open("/path/to/dev"); // open as102 fd
                        ....
  usb_deregister_dev();
  ....
  kfree(); // free as102_dev_t
  ....
                        sys_close(fd);
                          as102_release() // UAF!!
                            as102_usb_release()
                              kfree(); // DFB!!

When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked.

In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln.

The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release().

In other words, let release() perform the last kfree when the final open FD is closed.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31578"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:32Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\n\nIn as102_usb driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nas102_usb_probe()\n  kzalloc(); // alloc as102_dev_t\n  ....\n  usb_register_dev();\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open as102 fd\n\t\t\t\t\t\t....\n  usb_deregister_dev();\n  ....\n  kfree(); // free as102_dev_t\n  ....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t  as102_release() // UAF!!\n\t\t\t\t\t\t    as102_usb_release()\n\t\t\t\t\t\t      kfree(); // DFB!!\n```\n\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver\u0027s .release() is invoked.\n\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --\u003e as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\n\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\n\nIn other words, let release() perform the last kfree when the final open\nFD is closed.",
  "id": "GHSA-wrgv-v45w-6gxv",
  "modified": "2026-04-24T15:32:34Z",
  "published": "2026-04-24T15:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31578"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.