Description
In the Linux kernel, the following vulnerability has been resolved:

media: as102: fix to not free memory after the device is registered in as102_usb_probe()

In as102_usb driver, the following race condition occurs:
```
CPU0 CPU1
as102_usb_probe()
kzalloc(); // alloc as102_dev_t
....
usb_register_dev();
fd = sys_open("/path/to/dev"); // open as102 fd
....
usb_deregister_dev();
....
kfree(); // free as102_dev_t
....
sys_close(fd);
as102_release() // UAF!!
as102_usb_release()
kfree(); // DFB!!
```

When a USB character device registered with usb_register_dev() is later
unregistered (via usb_deregister_dev() or disconnect), the device node is
removed so new open() calls fail. However, file descriptors that are
already open do not go away immediately: they remain valid until the last
reference is dropped and the driver's .release() is invoked.

In as102, as102_usb_probe() calls usb_register_dev() and then, on an
error path, does usb_deregister_dev() and frees as102_dev_t right away.
If userspace raced a successful open() before the deregistration, that
open FD will later hit as102_release() --> as102_usb_release() and access
or free as102_dev_t again, occur a race to use-after-free and
double-free vuln.

The fix is to never kfree(as102_dev_t) directly once usb_register_dev()
has succeeded. After deregistration, defer freeing memory to .release().

In other words, let release() perform the last kfree when the final open
FD is closed.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free and Double‑Free (memory corruption)
Action: Immediate Patch
AI Analysis

Impact

This is a race condition in the Linux as102 USB character device driver that can trigger a use‑after‑free followed by a double‑free when the device is deregistered while file descriptors are still open. The flaw arises because the driver frees the device structure immediately after a failed deregistration path, even though the device node may still be referenced by user‑space handles. If a user opens the device between registration and deregistration, the subsequent close invokes the same deallocation, corrupting kernel memory. According to the CWE identifiers, this is a use‑after‑free (CWE‑416) and a double‑free (CWE‑364).

Affected Systems

The vulnerability applies to all Linux kernel builds that contain the as102 USB driver before the patch that changes the deallocation logic. The affected vendor is Linux Kernel, and all distributions based on it are impacted until they incorporate the upstream commit referenced in the advisory. No specific kernel version is listed; therefore any kernel that has not merged the documented fix remains vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high impact for a local attacker with sufficient privileges or access to the USB device. The EPSS score of <1% suggests exploit attempts are currently rare, and the vulnerability is not yet listed in CISA’s KEV catalog. The likely attack vector is a race condition triggered by inserting and removing the USB device while a local user has an open file descriptor on the device, which would result in memory corruption once the device is finally released. While the attack requires a local or privileged context and a specific race condition, the presence of the flaw warrants timely remediation.

Generated by OpenCVE AI on April 28, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that includes the as102 USB driver patch (commit 09e9206) or a later release.
  • If an upgrade is not immediately possible, apply the upstream patch to the kernel source and rebuild the affected modules or kernel.
  • Reboot after patching to ensure the device node is removed immediately upon deregistration and the device structure is freed only after the last reference is released.

Generated by OpenCVE AI on April 28, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.
Title media: as102: fix to not free memory after the device is registered in as102_usb_probe()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:30.105Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31578

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.480

Modified: 2026-04-27T20:42:44.453

Link: CVE-2026-31578

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31578 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses