QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-31576

Back to search

CVE-2026-31576

Published: Apr 24, 2026

Modified: Jun 1, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

VendorProductVersions

Linux

Linux

affected
8bc4a9ed85046c214458c9e82aea75d2f46cfffd - < 87b9685cca91ed715c39ba544715832d26a7f4b4
affected
8bc4a9ed85046c214458c9e82aea75d2f46cfffd - < 131ec9046e1c8af101aebdaec4e8095e05f3312b
affected
8bc4a9ed85046c214458c9e82aea75d2f46cfffd - < 67fd62e3efdc9dce01f76d95a745212f4feb38e6
affected
8bc4a9ed85046c214458c9e82aea75d2f46cfffd - < 45cbaf5c7cdc5386d86377f0daf94a17a007fed0
affected
8bc4a9ed85046c214458c9e82aea75d2f46cfffd - < 98a0a81ce78020c2522e0046f49d200de9778cb9

+4 more versions

Linux

Linux

affected
4.4
unaffected
0 - < 4.4
unaffected
5.10.258 - <= 5.10.*
unaffected
5.15.209 - <= 5.15.*
unaffected
6.1.175 - <= 6.1.*

+6 more versions

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now