CVE-2026-31582 - Vulnerability Details

- hwmon: (powerz) Fix use-after-free on USB disconnect

Description

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (powerz) Fix use-after-free on USB disconnect

After powerz_disconnect() frees the URB and releases the mutex, a
subsequent powerz_read() call can acquire the mutex and call
powerz_read_data(), which dereferences the freed URB pointer.

Fix by:
- Setting priv->urb to NULL in powerz_disconnect() so that
powerz_read_data() can detect the disconnected state.
- Adding a !priv->urb check at the start of powerz_read_data()
to return -ENODEV on a disconnected device.
- Moving usb_set_intfdata() before hwmon registration so the
disconnect handler can always find the priv pointer.

Published: 2026-04-24

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in the powerz hwmon driver that occurs when a USB device is disconnected while the driver still holds a reference to the freed URB structure. A subsequent read operation dereferences the stale pointer, which can trigger a kernel crash. The weakness corresponds to CWE‑416 and CWE‑825, reflecting a use‑after‑free and a null pointer dereference.

Affected Systems

All versions of the Linux kernel that include the powerz hwmon driver and have not yet applied the fix that clears the URB pointer on disconnect are affected. The product is the Linux kernel; the vendor is Linux and the product identifier is Linux:Linux. Specific affected releases are those that do not contain the commit sequence referenced in the advisory links.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity impact if successfully exploited. The EPSS score is less than 1%, suggesting that exploitation events are rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attacker would need to cause a USB device to disconnect and then trigger a read operation. This attack vector is inferred from the stated conditions and requires the attacker to control the device or the environment to induce the disconnect. While not explicitly documented as feasible, it is considered difficult but not impossible to exploit under the right circumstances.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< c78e1d4e48f23792adaa7c94251e22b0d9700a39
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< 9e1b798257f96d2e2a2639830eb71add545ce749
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< 7003ae4810ca83f0ddca85b768500e313c4b998c
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< 61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< 08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4

Linux

affected

Version	Status	Constraints
`6.7`	affected	—
`0`	unaffected	< 6.7
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,c78e1d4e48f23792adaa7c94251e22b0d9700a39)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,9e1b798257f96d2e2a2639830eb71add545ce749)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,7003ae4810ca83f0ddca85b768500e313c4b998c)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.7`	affected	generic	—
`[0,6.7)`	unaffected	semver	—
`[6.12.83,7.0.0)`	unaffected	semver	—
`[6.18.24,7.0.0)`	unaffected	semver	—
`[6.19.14,7.0.0)`	unaffected	semver	—
`[7.0.1,8.0.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch that nulls the URB pointer on powerz disconnect.
If an upgrade is not immediately possible, unbind or remove the powerz hwmon device from the system to eliminate the vulnerable code paths, or ensure that no authorized USB devices remain connected that could trigger the bug.
If the system must continue to use the powerz driver, unload the module with 'modprobe -r powerz' or otherwise disable the driver until a patch can be applied.

Generated by OpenCVE AI on April 28, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4
https://git.kernel.org/stable/c/61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4
https://git.kernel.org/stable/c/7003ae4810ca83f0ddca85b768500e313c4b998c
https://git.kernel.org/stable/c/9e1b798257f96d2e2a2639830eb71add545ce749
https://git.kernel.org/stable/c/c78e1d4e48f23792adaa7c94251e22b0d9700a39
https://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31582-cf91@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31582
https://www.cve.org/CVERecord?id=CVE-2026-31582

History

Mon, 27 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31582-cf91@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31582 https://www.cve.org/CVERecord?id=CVE-2026-31582

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dereferences the freed URB pointer. Fix by: - Setting priv->urb to NULL in powerz_disconnect() so that powerz_read_data() can detect the disconnected state. - Adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV on a disconnected device. - Moving usb_set_intfdata() before hwmon registration so the disconnect handler can always find the priv pointer.
Title		hwmon: (powerz) Fix use-after-free on USB disconnect
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4 https://git.kernel.org/stable/c/7003ae4810ca83f0ddca85b768500e313c4b998c https://git.kernel.org/stable/c/9e1b798257f96d2e2a2639830eb71add545ce749 https://git.kernel.org/stable/c/c78e1d4e48f23792adaa7c94251e22b0d9700a39

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:12.257Z

Updated: 2026-05-11T22:11:34.784Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31582

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.903

Modified: 2026-04-27T20:26:58.400

Link: CVE-2026-31582

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31582 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object