Description
In the Linux kernel, the following vulnerability has been resolved:

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

In hackrf driver, the following race condition occurs:
```
CPU0 CPU1
hackrf_probe()
kzalloc(); // alloc hackrf_dev
....
v4l2_device_register();
....
fd = sys_open("/path/to/dev"); // open hackrf fd
....
v4l2_device_unregister();
....
kfree(); // free hackrf_dev
....
sys_ioctl(fd, ...);
v4l2_ioctl();
video_is_registered() // UAF!!
....
sys_close(fd);
v4l2_release() // UAF!!
hackrf_video_release()
kfree(); // DFB!!
```

When a V4L2 or video device is unregistered, the device node is removed so
new open() calls are blocked.

However, file descriptors that are already open-and any in-flight I/O-do
not terminate immediately; they remain valid until the last reference is
dropped and the driver's release() is invoked.

Therefore, freeing device memory on the error path after hackrf_probe()
has registered dev it will lead to a race to use-after-free vuln, since
those already-open handles haven't been released yet.

And since release() free memory too, race to use-after-free and
double-free vuln occur.

To prevent this, if device is registered from probe(), it should be
modified to free memory only through release() rather than calling
kfree() directly.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free / Double‑Free causing kernel memory corruption or code execution
Action: Immediate Patch
AI Analysis

Impact

In the Linux kernel’s hackrf media driver, a race condition allows memory allocated for the hackrf_dev structure to be freed while still referenced by open file descriptors. This premature free produces a use‑after‑free followed by a double‑free on device unregister and release, enabling kernel memory corruption, system crashes, or arbitrary code execution. The weakness is classified as a race condition and memory safety violation (CWE‑364, CWE‑416).

Affected Systems

All Linux kernel builds that include the hackrf driver are affected; any kernel version before the patch that removes the premature kfree call in hackrf_probe() is vulnerable. The flaw exists on any host where the hackrf driver is loaded and the /dev/hackrf device is exposed to userspace. Administrators should verify whether the hackrf module is in use on each system.

Risk and Exploitability

The CVSS score of 7.8 marks this as high severity, and an EPSS score of less than 1 % indicates a low but non‑zero likelihood of exploitation. The issue requires a local attacker with access to the /dev/hackrf device to open it during the probe/unregister race, potentially leading to kernel memory corruption or privilege escalation. Although it is not currently listed in CISA’s KEV catalog, the presence of a race condition warrants prompt mitigation.

Generated by OpenCVE AI on April 28, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel patch that removes the premature kfree in hackrf_probe() and rebuild or update the kernel.
  • If the patch cannot be applied immediately, disable or block the hackrf driver (e.g., by blacklisting the module or preventing /dev/hackrf from being created).
  • After applying the patch or disabling the driver, stop all processes that have opened /dev/hackrf and restart them to ensure no lingering file descriptors remain.

Generated by OpenCVE AI on April 28, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.
Title media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:27.807Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31576

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.230

Modified: 2026-04-27T20:40:20.953

Link: CVE-2026-31576

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31576 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses