CVE-2026-31651 - Vulnerability Details

- mmc: vub300: fix NULL-deref on disconnect

Description

In the Linux kernel, the following vulnerability has been resolved:

mmc: vub300: fix NULL-deref on disconnect

Make sure to deregister the controller before dropping the reference to
the driver data on disconnect to avoid NULL-pointer dereferences or
use-after-free.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s MMC driver vub300 contains a NULL‑pointer dereference when the controller disconnects. If a controller is not deregistered before the driver data reference count is decremented, a NULL dereference or use‑after‑free can occur. This flaw can crash the kernel or provide denial of service; it may be exploitable by an attacker who can trigger a disconnect event, which is inferred from the need to cause a controller disconnect. The weakness is a NULL pointer dereference, classified as CWE‑476.

Affected Systems

Affected systems are all Linux kernel versions that contain the vulnerable vub300 MMC driver before the patch was applied. The vulnerability is not tied to a specific kernel release but applies to any kernel in which the driver has not been updated to perform controller deregistration before releasing the reference on disconnect.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need local access to the system to trigger an MMC disconnect and exploit the flaw; this inference comes from the requirement to cause a controller disconnect. A successful exploit could cause a kernel panic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< 6446516e626ce7c44bdadbcbb3d7677a2c52ce93
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< ba3b9429de94958dc0060d9816a915dd75c34919
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< 517b58e1d067115f80d198feee10192da4c424d0
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< 6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< 53f2642d77ab5f1f303388bff5500363c6cf962c
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< c83a282615d8f7ba28cebddd54600b419d562d82
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< 8d09e75759cb2afc0732acfb5a14a93c03805a61
`88095e7b473a3d9ec3b9c60429576e9cbd327c89`	affected	< dff34ef879c5e73298443956a8b391311ba78d57

Linux

affected

Version	Status	Constraints
`3.0`	affected	—
`0`	unaffected	< 3.0
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.169`	unaffected	≤ 6.1.*
`6.6.135`	unaffected	≤ 6.6.*
`6.12.82`	unaffected	≤ 6.12.*
`6.18.23`	unaffected	≤ 6.18.*
`6.19.13`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:3.0:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,6446516e626ce7c44bdadbcbb3d7677a2c52ce93)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,ba3b9429de94958dc0060d9816a915dd75c34919)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,53f2642d77ab5f1f303388bff5500363c6cf962c)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,53f2642d77ab5f1f303388bff5500363c6cf962c)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,c83a282615d8f7ba28cebddd54600b419d562d82)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,8d09e75759cb2afc0732acfb5a14a93c03805a61)`	affected	code_commit	—
`[88095e7b473a3d9ec3b9c60429576e9cbd327c89,dff34ef879c5e73298443956a8b391311ba78d57)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`[0,3.0)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.169,6.2.0)`	unaffected	semver	—
`[6.6.135,6.7.0)`	unaffected	semver	—
`[6.12.82,6.13.0)`	unaffected	semver	—
`[6.18.23,6.19.0)`	unaffected	semver	—
`[6.19.13,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that incorporates the vub300 NULL‑dereference fix.
Ensure that any MMC drivers in use deregister controllers before decrementing reference counts during a disconnect.
Disable or remove unused or legacy MMC controllers if they are not required for operation.

Generated by OpenCVE AI on April 28, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/517b58e1d067115f80d198feee10192da4c424d0
https://git.kernel.org/stable/c/53f2642d77ab5f1f303388bff5500363c6cf962c
https://git.kernel.org/stable/c/6446516e626ce7c44bdadbcbb3d7677a2c52ce93
https://git.kernel.org/stable/c/6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a
https://git.kernel.org/stable/c/8d09e75759cb2afc0732acfb5a14a93c03805a61
https://git.kernel.org/stable/c/ba3b9429de94958dc0060d9816a915dd75c34919
https://git.kernel.org/stable/c/c83a282615d8f7ba28cebddd54600b419d562d82
https://git.kernel.org/stable/c/dff34ef879c5e73298443956a8b391311ba78d57
https://lore.kernel.org/linux-cve-announce/2026042400-CVE-2026-31651-6fe7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31651
https://www.cve.org/CVERecord?id=CVE-2026-31651

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:3.0:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026042400-CVE-2026-31651-6fe7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31651 https://www.cve.org/CVERecord?id=CVE-2026-31651

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free.
Title		mmc: vub300: fix NULL-deref on disconnect
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/517b58e1d067115f80d198feee10192da4c424d0 https://git.kernel.org/stable/c/53f2642d77ab5f1f303388bff5500363c6cf962c https://git.kernel.org/stable/c/6446516e626ce7c44bdadbcbb3d7677a2c52ce93 https://git.kernel.org/stable/c/6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a https://git.kernel.org/stable/c/8d09e75759cb2afc0732acfb5a14a93c03805a61 https://git.kernel.org/stable/c/ba3b9429de94958dc0060d9816a915dd75c34919 https://git.kernel.org/stable/c/c83a282615d8f7ba28cebddd54600b419d562d82 https://git.kernel.org/stable/c/dff34ef879c5e73298443956a8b391311ba78d57

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:45:03.905Z

Updated: 2026-05-11T22:12:56.346Z

Reserved: 2026-03-09T15:48:24.128Z

Link: CVE-2026-31651

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:44.573

Modified: 2026-04-27T20:14:45.940

Link: CVE-2026-31651

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31651 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object