Description
In the Linux kernel, the following vulnerability has been resolved:

EDAC/mc: Fix error path ordering in edac_mc_alloc()

When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path
will call put_device() which will end up calling the device's release
function.

However, the init ordering is wrong such that device_initialize() happens
*after* the failed allocation and thus the device itself and the release
function pointer are not initialized yet when they're called:

MCE: In-kernel MCE decoding enabled.
------------[ cut here ]------------
kobject: '(null)': is not initialized, yet kobject_put() is being called.
WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd
CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)
RIP: 0010:kobject_put
Call Trace:
<TASK>
edac_mc_alloc+0xbe/0xe0 [edac_core]
amd64_edac_init+0x7a4/0xff0 [amd64_edac]
? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]
do_one_initcall
...

Reorder the calling sequence so that the device is initialized and thus the
release function pointer is properly set before it can be used.

This was found by Claude while reviewing another EDAC patch.
Published: 2026-04-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel the EDAC/mc subsystem contains a flaw where, upon a failed allocation inside edac_mc_alloc(), the error path executes before device initialization. The device’s release function is called on an uninitialized structure, leading to a kernel fault and system crash. This constitutes a denial of service that forces the machine to reboot or become unusable. The weakness is identified as CWE‑476 (null pointer dereference) and CWE‑824 (improper handling of uninitialized data).

Affected Systems

All Linux kernel builds that include the pre‑fix EDAC/mc implementation are vulnerable. The issue applies to any distribution or custom kernel that still has the uninitialized device release path. Users of newer kernels that contain the corrected order are not affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate risk. EPSS score is less than 1%, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require the kernel to encounter a hardware failure or explicitly trigger a bad allocation in the EDAC subsystem, which most users would not be able to induce remotely. Therefore, exploitation likelihood is low, but the impact is a denial of service if triggered.

Generated by OpenCVE AI on May 6, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system kernel to a release that includes the commit which reorders the initialization sequence in edac_mc_alloc().
  • If an official kernel update is not immediately available, obtain the patch for the affected commit from the kernel git repository, apply it to your current kernel source, rebuild, and test the kernel in a staging environment before deploying.
  • Reboot the system into the updated kernel to ensure the initialization order is now correct and the device release function is properly set.

Generated by OpenCVE AI on May 6, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: EDAC/mc: Fix error path ordering in edac_mc_alloc() When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function. However, the init ordering is wrong such that device_initialize() happens *after* the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called: MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full) RIP: 0010:kobject_put Call Trace: <TASK> edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ... Reorder the calling sequence so that the device is initialized and thus the release function pointer is properly set before it can be used. This was found by Claude while reviewing another EDAC patch.
Title EDAC/mc: Fix error path ordering in edac_mc_alloc()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:44.271Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31689

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T18:16:54.387

Modified: 2026-05-06T18:33:39.837

Link: CVE-2026-31689

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T00:00:00Z

Links: CVE-2026-31689 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T20:45:05Z

Weaknesses