Description
In the Linux kernel, the following vulnerability has been resolved:

gpio: virtuser: fix UAF in configfs release path

The gpio-virtuser configfs release path uses guard(mutex) to protect
the device structure. However, the device is freed before the guard
cleanup runs, causing mutex_unlock() to operate on freed memory.

Specifically, gpio_virtuser_device_config_group_release() destroys
the mutex and frees the device while still inside the guard(mutex)
scope. When the function returns, the guard cleanup invokes
mutex_unlock(&dev->lock), resulting in a slab use-after-free.

Limit the mutex lifetime by using a scoped_guard() only around the
activation check, so that the lock is released before mutex_destroy()
and kfree() are called.
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Use‑After‑Free
Action: Patch Now
AI Analysis

Impact

In the Linux kernel, the gpio‑virtuser configfs release path had a bug where the device structure was freed before the mutex guard cleanup ran, causing a slab use‑after‑free. The mutex was destroyed and memory freed while still inside the guard scope, so the subsequent mutex_unlock() operated on invalid memory. This flaw could be exploited to gain arbitrary code execution or compromise kernel integrity.

Affected Systems

Linux kernel implementations, specifically the 6.19 release candidates (rc1 through rc7). The vulnerability exists in the standard Linux kernel and affects systems using these kernel versions without the backport or patch applied.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is less than 1 %, suggesting a currently low probability of exploitation, though it is not zero. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve local privilege escalation through interaction with the gpio‑virtuser configfs entries, which may be accessible to unprivileged users in some deployments. Once triggered, the use‑after‑free can allow an attacker to execute arbitrary code in kernel mode.

Generated by OpenCVE AI on April 17, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel release that includes the fix or backport the patch to the running kernel.
  • Remove or unmount the configfs gpio‑virtuser entries until the patch is applied to prevent the triggering path.
  • If immediate kernel update is not possible, disable the virtuser module or restrict access to configfs so that only trusted processes can interact with the gpio‑virtuser device.

Generated by OpenCVE AI on April 17, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix UAF in configfs release path The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_device_config_group_release() destroys the mutex and frees the device while still inside the guard(mutex) scope. When the function returns, the guard cleanup invokes mutex_unlock(&dev->lock), resulting in a slab use-after-free. Limit the mutex lifetime by using a scoped_guard() only around the activation check, so that the lock is released before mutex_destroy() and kfree() are called.
Title gpio: virtuser: fix UAF in configfs release path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:01:24.568Z

Reserved: 2026-01-13T15:37:45.978Z

Link: CVE-2026-23158

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T16:15:55.967

Modified: 2026-03-18T14:19:55.513

Link: CVE-2026-23158

cve-icon Redhat

Severity :

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23158 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:45:25Z

Weaknesses