Description
In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: possible double-free of cctx->remote_heap

fastrpc_init_create_static_process() may free cctx->remote_heap on the
err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()
frees cctx->remote_heap again if it is non-NULL, which can lead to a
double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg
device is subsequently removed/unbound.
Clear cctx->remote_heap after freeing it in the error path to prevent the
later cleanup from freeing it again.

This issue was found by an in-house analysis workflow that extracts AST-based
information and runs static checks, with LLM assistance for triage, and was
confirmed by manual code review.
No hardware testing was performed.
Published: 2026-05-01
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A double‑free occurs in the fastrpc component of the Linux kernel when the INIT_CREATE_STATIC ioctl encounters an error path while creating a static process and later the rpmsg device is removed or unbound. The kernel fails to clear the remote_heap pointer after freeing it on the error path, so the later cleanup routine frees the same pointer again. The description indicates a kernel heap memory corruption. Based on the description, it is inferred that a local attacker could potentially trigger a privilege escalation or, at minimum, cause a denial‑of‑service through a kernel panic. The weakness is a classic use‑after‑free error, classified as CWE‑1341.

Affected Systems

The vulnerability resides in the core fastrpc code of the Linux kernel. All kernel releases that contain the affected fastrpc implementation are at risk. No specific version ranges are provided, so any instance of the kernel that implements fastrpc with the described double‑free path should be considered vulnerable.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable. It is not listed in CISA KEV, indicating that widespread exploitation has not yet been observed. Based on the description, it is inferred that the bug enables a kernel memory corruption that can be exploited locally. The likely attack scenario involves an authenticated or local privileged user that can invoke the vulnerable ioctl on the rpmsg device and then trigger removal or unbinding of the device to hit the double‑free path. Because the bug operates entirely in kernel space, it can lead to local privilege escalation if successfully triggered.

Generated by OpenCVE AI on May 2, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched Linux kernel that clears cctx->remote_heap after freeing it in the error path. This removes the double‑free path entirely.
  • After installing the patched kernel, reboot the system or reload the affected rpmsg and fastrpc modules to ensure the updated code is active.
  • If patching cannot be performed immediately, consider disabling or unloading the fastrpc/rpmsg driver until a fix is available, or restrict ioctl access to trusted users so the error path cannot be exercised.

Generated by OpenCVE AI on May 2, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: possible double-free of cctx->remote_heap fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap again if it is non-NULL, which can lead to a double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg device is subsequently removed/unbound. Clear cctx->remote_heap after freeing it in the error path to prevent the later cleanup from freeing it again. This issue was found by an in-house analysis workflow that extracts AST-based information and runs static checks, with LLM assistance for triage, and was confirmed by manual code review. No hardware testing was performed.
Title misc: fastrpc: possible double-free of cctx->remote_heap
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:29.522Z

Reserved: 2026-03-09T15:48:24.135Z

Link: CVE-2026-31730

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.577

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31730

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31730 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses