7.8

CVE-2026-31576

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

In the Linux kernel, the following vulnerability has been resolved:

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

In hackrf driver, the following race condition occurs:
```
		CPU0						CPU1
hackrf_probe()
  kzalloc(); // alloc hackrf_dev
  ....
  v4l2_device_register();
  ....
						fd = sys_open("/path/to/dev"); // open hackrf fd
						....
  v4l2_device_unregister();
  ....
  kfree(); // free hackrf_dev
  ....
						sys_ioctl(fd, ...);
						  v4l2_ioctl();
						    video_is_registered() // UAF!!
						....
						sys_close(fd);
						  v4l2_release() // UAF!!
						    hackrf_video_release()
						      kfree(); // DFB!!
```

When a V4L2 or video device is unregistered, the device node is removed so
new open() calls are blocked.

However, file descriptors that are already open-and any in-flight I/O-do
not terminate immediately; they remain valid until the last reference is
dropped and the driver's release() is invoked.

Therefore, freeing device memory on the error path after hackrf_probe()
has registered dev it will lead to a race to use-after-free vuln, since
those already-open handles haven't been released yet.

And since release() free memory too, race to use-after-free and
double-free vuln occur.

To prevent this, if device is registered from probe(), it should be
modified to free memory only through release() rather than calling
kfree() directly.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 6.6.136
LinuxLinux Kernel Version >= 6.7 < 6.12.83
LinuxLinux Kernel Version >= 6.13 < 6.18.24
LinuxLinux Kernel Version >= 6.19 < 6.19.14
LinuxLinux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.027
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9
Patch
https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824
Patch
https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848
Patch
https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2
Patch
https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258
Patch
https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0
Patch
https://git.kernel.org/stable/c/131ec9046e1c8af101aebdaec4e8095e05f3312b
https://git.kernel.org/stable/c/67fd62e3efdc9dce01f76d95a745212f4feb38e6
https://git.kernel.org/stable/c/87b9685cca91ed715c39ba544715832d26a7f4b4