CVE-2026-31399 - Vulnerability Details

- nvdimm/bus: Fix potential use after free in asynchronous initialization

Description

In the Linux kernel, the following vulnerability has been resolved:

nvdimm/bus: Fix potential use after free in asynchronous initialization

Dingisoul with KASAN reports a use after free if device_add() fails in
nd_async_device_register().

Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while
scheduling async init") correctly added a reference on the parent device
to be held until asynchronous initialization was complete. However, if
device_add() results in an allocation failure the ref count of the
device drops to 0 prior to the parent pointer being accessed. Thus
resulting in use after free.

The bug bot AI correctly identified the fix. Save a reference to the
parent pointer to be used to drop the parent reference regardless of the
outcome of device_add().

Published: 2026-04-03

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker could trigger a use-after-free violation by causing device_add() to fail during the asynchronous initialization of a non-volatile memory device. The flaw arises because the parent device reference is released before the child device is fully initialized, leaving a dangling pointer that can be dereferenced. This denial-of-service vector undermines the stability and correctness of the kernel, potentially leading to kernel panics or loss of service for systems relying on NVDIMM devices.

Affected Systems

The vulnerability applies to the Linux kernel itself. All installations where the kernel includes the nvdimm/bus subsystem and is susceptible to asynchronous device registration would be at risk. No specific kernel version range is provided in the data, so a careful review of release notes is needed to confirm exposure.

Risk and Exploitability

The CVSS score of 4.7 places the issue in the medium severity range. Exploitation seems plausible only if an attacker can influence the creation of a non-volatile memory device whose addition fails, which suggests a local or privileged attack surface rather than a remote one. With an EPSS score of less than 1% and no listing in CISA’s KEV catalog, it is unlikely to be widely exploited at this time, but the inherent use-after-free flaw warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 6fc36c2a925ceaba203eb13d75a8f0879a2c121b
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< a36cf138500e56f50db9f9a33222df6969b38326
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 2c638259ad750833fd46a0cf57672a618542d84c
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< a226e5b49e5fe8c98b14f8507de670189d191348
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 84af19855d1abdee3c9d57c0684e2868e391793c
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< a8aec14230322ed8f1e8042b6d656c1631d41163
`8954771abdea5c34280870e35592c7226a816d95`	affected	—
`3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab`	affected	—
`1490de2bb0836fc0631c04d0559fdf81545b672f`	affected	—
`e31a8418c8df7e6771414f99ed3d95ba8aca4e05`	affected	—
`4f1a55a4f990016406147cf3e0c9487bf83e50f0`	affected	—

Linux

affected

Version	Status	Constraints
`4.20`	affected	—
`0`	unaffected	< 4.20
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,2c638259ad750833fd46a0cf57672a618542d84c)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,a226e5b49e5fe8c98b14f8507de670189d191348)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,84af19855d1abdee3c9d57c0684e2868e391793c)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,a8aec14230322ed8f1e8042b6d656c1631d41163)`	affected	code_commit	—
`8954771abdea5c34280870e35592c7226a816d95`	affected	code_commit	—
`3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab`	affected	code_commit	—
`1490de2bb0836fc0631c04d0559fdf81545b672f`	affected	code_commit	—
`e31a8418c8df7e6771414f99ed3d95ba8aca4e05`	affected	code_commit	—
`4f1a55a4f990016406147cf3e0c9487bf83e50f0`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.20`	affected	generic	—
`[0,4.20)`	unaffected	generic	—
`[6.1.167,6.1.*]`	unaffected	generic	—
`[6.6.130,6.6.*]`	unaffected	generic	—
`[6.12.78,6.12.*]`	unaffected	generic	—
`[6.18.20,6.18.*]`	unaffected	generic	—
`[6.19.10,6.19.*]`	unaffected	generic	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes commit b6eae0f61db2 in libnvdimm (or later) which holds a reference on the parent during async initialization.

Generated by OpenCVE AI on April 7, 2026 at 09:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2c638259ad750833fd46a0cf57672a618542d84c
https://git.kernel.org/stable/c/6fc36c2a925ceaba203eb13d75a8f0879a2c121b
https://git.kernel.org/stable/c/84af19855d1abdee3c9d57c0684e2868e391793c
https://git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d
https://git.kernel.org/stable/c/a226e5b49e5fe8c98b14f8507de670189d191348
https://git.kernel.org/stable/c/a36cf138500e56f50db9f9a33222df6969b38326
https://git.kernel.org/stable/c/a8aec14230322ed8f1e8042b6d656c1631d41163
https://git.kernel.org/stable/c/e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e
https://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31399-9b84@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31399
https://www.cve.org/CVERecord?id=CVE-2026-31399

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/6fc36c2a925ceaba203eb13d75a8f0879a2c121b https://git.kernel.org/stable/c/a36cf138500e56f50db9f9a33222df6969b38326

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31399-9b84@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31399 https://www.cve.org/CVERecord?id=CVE-2026-31399
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free. The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add().
Title		nvdimm/bus: Fix potential use after free in asynchronous initialization
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2c638259ad750833fd46a0cf57672a618542d84c https://git.kernel.org/stable/c/84af19855d1abdee3c9d57c0684e2868e391793c https://git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d https://git.kernel.org/stable/c/a226e5b49e5fe8c98b14f8507de670189d191348 https://git.kernel.org/stable/c/a8aec14230322ed8f1e8042b6d656c1631d41163 https://git.kernel.org/stable/c/e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:16:03.246Z

Updated: 2026-04-18T08:59:18.870Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31399

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:38.410

Modified: 2026-04-18T09:16:29.987

Link: CVE-2026-31399

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31399 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:53:26Z

Weaknesses

CWE-911

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object