CVE-2026-31621 - Vulnerability Details

- bnge: return after auxiliary_device_uninit() in error path

Description

In the Linux kernel, the following vulnerability has been resolved:

bnge: return after auxiliary_device_uninit() in error path

When auxiliary_device_add() fails, the error block calls
auxiliary_device_uninit() but does not return. The uninit drops the
last reference and synchronously runs bnge_aux_dev_release(), which sets
bd->auxr_dev = NULL and frees the underlying object. The subsequent
bd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a
good thing to have happen when trying to clean up from an error.

Add the missing return, as the auxiliary bus documentation states is a
requirement (seems that LLM tools read documentation better than humans
do...)

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, an error in the auxiliary bus code causes a NULL pointer dereference during cleanup of a failed auxiliary_device_add. The missing return statement allows the uninit routine to execute and free the auxiliary device structure, after which the code touches stored fields of the now‑NULL structure, leading to a kernel crash. This flaw involves a null pointer dereference (CWE‑476) and a missing return control flow error (CWE‑908) that results in a denial of service by causing the kernel to panic. The vulnerability does not provide a direct path for privilege escalation or data exfiltration; its primary impact is loss of availability.

Affected Systems

All Linux kernels that include the auxiliary bus implementation and have not applied the commit that adds the missing return are affected. No specific version list is provided, so any kernel prior to the patch is considered vulnerable.

Risk and Exploitability

The EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a very low probability of prevalence in the wild. Exploitation would require local privileged code path to trigger the failed auxiliary_device_add, which is unlikely in most deployments. The high impact of a kernel crash makes prompt remediation important, but the low likelihood reduces urgency for environments that cannot immediately update the kernel. The CVSS score of 5.5 indicates moderate severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554`	affected	< 38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a
`8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554`	affected	< 87bc3557c708110d83086bf091328271298a44e3
`8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554`	affected	< 8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554,38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a)`	affected	code_commit	—
`[8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554,87bc3557c708110d83086bf091328271298a44e3)`	affected	code_commit	—
`[8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554,8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	generic	—
`[0,6.19)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel commit that adds a return after auxiliary_device_uninit in the error path.
Ensure the running kernel is at least the patched revision by upgrading to a newer kernel image.
If immediate kernel upgrade is not possible, avoid invoking auxiliary_device_add calls that might fail or disable auxiliary bus drivers while the unpatched code is in use.

Generated by OpenCVE AI on April 28, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a
https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3
https://git.kernel.org/stable/c/8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce
https://lore.kernel.org/linux-cve-announce/2026042425-CVE-2026-31621-0c38@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31621
https://www.cve.org/CVERecord?id=CVE-2026-31621

History

Tue, 28 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026042425-CVE-2026-31621-0c38@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31621 https://www.cve.org/CVERecord?id=CVE-2026-31621

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bnge: return after auxiliary_device_uninit() in error path When auxiliary_device_add() fails, the error block calls auxiliary_device_uninit() but does not return. The uninit drops the last reference and synchronously runs bnge_aux_dev_release(), which sets bd->auxr_dev = NULL and frees the underlying object. The subsequent bd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a good thing to have happen when trying to clean up from an error. Add the missing return, as the auxiliary bus documentation states is a requirement (seems that LLM tools read documentation better than humans do...)
Title		bnge: return after auxiliary_device_uninit() in error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:39.274Z

Updated: 2026-05-11T22:12:21.098Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31621

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:41.380

Modified: 2026-04-28T14:05:14.443

Link: CVE-2026-31621

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31621 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object