Description
In the Linux kernel, the following vulnerability has been resolved:

driver core: enforce device_lock for driver_match_device()

Currently, driver_match_device() is called from three sites. One site
(__device_attach_driver) holds device_lock(dev), but the other two
(bind_store and __driver_attach) do not. This inconsistency means that
bus match() callbacks are not guaranteed to be called with the lock
held.

Fix this by introducing driver_match_device_locked(), which guarantees
holding the device lock using a scoped guard. Replace the unlocked calls
in bind_store() and __driver_attach() with this new helper. Also add a
lock assertion to driver_match_device() to enforce this guarantee.

This consistency also fixes a known race condition. The driver_override
implementation relies on the device_lock, so the missing lock led to the
use-after-free (UAF) reported in Bugzilla for buses using this field.

Stress testing the two newly locked paths for 24 hours with
CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence
and no lockdep warnings.
Published: 2026-04-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s driver_match_device() function is sometimes invoked without holding the required device_lock, creating an inconsistent lock state across three call sites. This flaw allows a race condition that can evolve into a use‑after‑free, specifically when the driver_override mechanism relies on that lock. The resulting use‑after‑free is a weakness defined by CWE‑413 and CWE‑416, and it enables an attacker who can trigger the race locally to execute arbitrary code within the kernel address space, potentially achieving full system compromise.

Affected Systems

Any Linux kernel distribution that has not incorporated the commit adding driver_match_device_locked() is vulnerable. The vendor list is generic "Linux:Linux", indicating that all standard Linux kernel releases before the patch are affected. No specific version range is supplied, so the vulnerability applies to every pre‑patch kernel regardless of distribution.

Risk and Exploitability

With a CVSS score of 7.8 the vulnerability is rated high severity, and its EPSS score is very low (<1%), indicating a low likelihood of exploitation that has not yet been observed in the wild. Exploitation would most likely occur locally, requiring an attacker able to load a bus driver that depends on driver_override and trigger the race condition in driver_match_device(). The fix eliminates the race by ensuring the lock is always held for every call, thereby removing the potential for the use‑after‑free. Until the kernel is updated, the risk remains significant for systems that load vulnerable drivers.

Generated by OpenCVE AI on May 6, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the driver_match_device_locked() fix from the maintainer commit
  • For systems that cannot update immediately, prevent loading of bus drivers that rely on driver_override until the lock enforcement is in place
  • Enable kernel lock debugging features such as CONFIG_PROVE_LOCKING or CONFIG_LOCKDEP to detect any race conditions during kernel operation
  • Maintain a timely patch management process to apply the latest kernel releases and avoid known vulnerabilities

Generated by OpenCVE AI on May 6, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a scoped guard. Replace the unlocked calls in bind_store() and __driver_attach() with this new helper. Also add a lock assertion to driver_match_device() to enforce this guarantee. This consistency also fixes a known race condition. The driver_override implementation relies on the device_lock, so the missing lock led to the use-after-free (UAF) reported in Bugzilla for buses using this field. Stress testing the two newly locked paths for 24 hours with CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence and no lockdep warnings.
Title driver core: enforce device_lock for driver_match_device()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:43.159Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31688

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T18:16:54.287

Modified: 2026-05-06T18:36:57.093

Link: CVE-2026-31688

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T00:00:00Z

Links: CVE-2026-31688 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T20:45:05Z

Weaknesses