CVE-2026-31399 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

nvdimm/bus: Fix potential use after free in asynchronous initialization

Dingisoul with KASAN reports a use after free if device_add() fails in
nd_async_device_register().

Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while
scheduling async init") correctly added a reference on the parent device
to be held until asynchronous initialization was complete. However, if
device_add() results in an allocation failure the ref count of the
device drops to 0 prior to the parent pointer being accessed. Thus
resulting in use after free.

The bug bot AI correctly identified the fix. Save a reference to the
parent pointer to be used to drop the parent reference regardless of the
outcome of device_add().

Published: 2026-04-03

Score: 4.7 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw exists in the Linux kernel’s NVDIMM bus subsystem during asynchronous initialization. When device_add() fails in nd_async_device_register(), the reference count of the parent device can be dropped to zero before the code later accesses the parent pointer, resulting in a dangling pointer dereference. This memory corruption can cause a kernel crash or, if an attacker can manipulate the failure, may enable arbitrary code execution with kernel privileges. The weakness is a classic use‑after‑free and is listed as CWE‑416. No CVSS score is provided in the data, but the potential impact on kernel integrity and confidentiality is high.

Affected Systems

All Linux kernel releases that include the NVDIMM bus subsystem but lack the patch introduced by commit b6eae0f61db2. In practice, this means any kernel version before the commit that added the parent reference handling during asynchronous initialization. Users should verify whether their distribution’s kernel contains this commit or a later equivalent patch.

Risk and Exploitability

The exploitability of the vulnerability is constrained to environments where the malicious party can trigger an asynchronous initialization failure of an NVDIMM device, typically requiring local system access or the ability to influence device add operations. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nevertheless, the kernel memory corruption nature warrants immediate attention, as the flaw can lead to unrestricted kernel access if exploited successfully.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 2c638259ad750833fd46a0cf57672a618542d84c
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< a226e5b49e5fe8c98b14f8507de670189d191348
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< 84af19855d1abdee3c9d57c0684e2868e391793c
`b6eae0f61db27748606cc00dafcfd1e2c032f0a5`	affected	< a8aec14230322ed8f1e8042b6d656c1631d41163
`8954771abdea5c34280870e35592c7226a816d95`	affected	—
`3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab`	affected	—
`1490de2bb0836fc0631c04d0559fdf81545b672f`	affected	—
`e31a8418c8df7e6771414f99ed3d95ba8aca4e05`	affected	—
`4f1a55a4f990016406147cf3e0c9487bf83e50f0`	affected	—

Linux

affected

Version	Status	Constraints
`4.20`	affected	—
`0`	unaffected	< 4.20
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,2c638259ad750833fd46a0cf57672a618542d84c)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,a226e5b49e5fe8c98b14f8507de670189d191348)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,84af19855d1abdee3c9d57c0684e2868e391793c)`	affected	code_commit	—
`[b6eae0f61db27748606cc00dafcfd1e2c032f0a5,a8aec14230322ed8f1e8042b6d656c1631d41163)`	affected	code_commit	—
`8954771abdea5c34280870e35592c7226a816d95`	affected	code_commit	—
`3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab`	affected	code_commit	—
`1490de2bb0836fc0631c04d0559fdf81545b672f`	affected	code_commit	—
`e31a8418c8df7e6771414f99ed3d95ba8aca4e05`	affected	code_commit	—
`4f1a55a4f990016406147cf3e0c9487bf83e50f0`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.20`	affected	generic	—
`[0,4.20)`	unaffected	generic	—
`[6.1.167,6.1.*]`	unaffected	generic	—
`[6.6.130,6.6.*]`	unaffected	generic	—
`[6.12.78,6.12.*]`	unaffected	generic	—
`[6.18.20,6.18.*]`	unaffected	generic	—
`[6.19.10,6.19.*]`	unaffected	generic	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes commit b6eae0f61db2 or any later patch that addresses the NVDIMM bus use‑after‑free.
If a kernel upgrade is not immediately possible, disable or unload the NVDIMM related kernel modules to prevent the vulnerable code path from executing.
Run memory‑safety tests such as Kernel Address Sanitizer (KASAN) in a staging environment before deploying the patched kernel to ensure kernel stability and detect any lingering reference‑counting issues.

Generated by OpenCVE AI on April 3, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2c638259ad750833fd46a0cf57672a618542d84c
https://git.kernel.org/stable/c/84af19855d1abdee3c9d57c0684e2868e391793c
https://git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d
https://git.kernel.org/stable/c/a226e5b49e5fe8c98b14f8507de670189d191348
https://git.kernel.org/stable/c/a8aec14230322ed8f1e8042b6d656c1631d41163
https://git.kernel.org/stable/c/e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e
https://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31399-9b84@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31399
https://www.cve.org/CVERecord?id=CVE-2026-31399

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31399-9b84@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31399 https://www.cve.org/CVERecord?id=CVE-2026-31399
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free. The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add().
Title		nvdimm/bus: Fix potential use after free in asynchronous initialization
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2c638259ad750833fd46a0cf57672a618542d84c https://git.kernel.org/stable/c/84af19855d1abdee3c9d57c0684e2868e391793c https://git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d https://git.kernel.org/stable/c/a226e5b49e5fe8c98b14f8507de670189d191348 https://git.kernel.org/stable/c/a8aec14230322ed8f1e8042b6d656c1631d41163 https://git.kernel.org/stable/c/e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:16:03.246Z

Updated: 2026-04-03T15:16:03.246Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31399

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:38.410

Modified: 2026-04-03T16:16:38.410

Link: CVE-2026-31399

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31399 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:15:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object