7.8

CVE-2026-31578

media: as102: fix to not free memory after the device is registered in as102_usb_probe()

In the Linux kernel, the following vulnerability has been resolved:

media: as102: fix to not free memory after the device is registered in as102_usb_probe()

In as102_usb driver, the following race condition occurs:
```
		CPU0						CPU1
as102_usb_probe()
  kzalloc(); // alloc as102_dev_t
  ....
  usb_register_dev();
						fd = sys_open("/path/to/dev"); // open as102 fd
						....
  usb_deregister_dev();
  ....
  kfree(); // free as102_dev_t
  ....
						sys_close(fd);
						  as102_release() // UAF!!
						    as102_usb_release()
						      kfree(); // DFB!!
```

When a USB character device registered with usb_register_dev() is later
unregistered (via usb_deregister_dev() or disconnect), the device node is
removed so new open() calls fail. However, file descriptors that are
already open do not go away immediately: they remain valid until the last
reference is dropped and the driver's .release() is invoked.

In as102, as102_usb_probe() calls usb_register_dev() and then, on an
error path, does usb_deregister_dev() and frees as102_dev_t right away.
If userspace raced a successful open() before the deregistration, that
open FD will later hit as102_release() --> as102_usb_release() and access
or free as102_dev_t again, occur a race to use-after-free and
double-free vuln.

The fix is to never kfree(as102_dev_t) directly once usb_register_dev()
has succeeded. After deregistration, defer freeing memory to .release().

In other words, let release() perform the last kfree when the final open
FD is closed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 6.6.136
LinuxLinux Kernel Version >= 6.7 < 6.12.83
LinuxLinux Kernel Version >= 6.13 < 6.18.24
LinuxLinux Kernel Version >= 6.19 < 6.19.14
LinuxLinux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.027
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2
Patch
https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086
Patch
https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032
Patch
https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1
Patch
https://git.kernel.org/stable/c/8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c
Patch
https://git.kernel.org/stable/c/cb8092038e95dc1113a68e63762de40fff61ba71
Patch
https://git.kernel.org/stable/c/07ceb444c8f627cf863864d4274b5a77769725ed
https://git.kernel.org/stable/c/0d36653a3a821e5a974798adb347b3ea09332914
https://git.kernel.org/stable/c/25d500cf391e384356a612b85cf60b353ad3cd0c