Description
In the Linux kernel, the following vulnerability has been resolved:

comedi: ni_atmio16d: Fix invalid clean-up after failed attach

If the driver's COMEDI "attach" handler function (`atmio16d_attach()`)
returns an error, the COMEDI core will call the driver's "detach"
handler function (`atmio16d_detach()`) to clean up. This calls
`reset_atmio16d()` unconditionally, but depending on where the error
occurred in the attach handler, the device may not have been
sufficiently initialized to call `reset_atmio16d()`. It uses
`dev->iobase` as the I/O port base address and `dev->private` as the
pointer to the COMEDI device's private data structure. `dev->iobase`
may still be set to its initial value of 0, which would result in
undesired writes to low I/O port addresses. `dev->private` may still be
`NULL`, which would result in null pointer dereferences.

Fix `atmio16d_detach()` by checking that `dev->private` is valid
(non-null) before calling `reset_atmio16d()`. This implies that
`dev->iobase` was set correctly since that is set up before
`dev->private`.
Published: 2026-05-01
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s COMEDI subsystem contains a flaw in the ni_atmio16d driver’s detach routine. When the attach handler fails, the kernel will unconditionally call reset_atmio16d() to clean up, but the private data structure may not yet be valid and the I/O base address may still be zero. This can cause the driver to write to an unintended I/O port or dereference a null pointer, resulting in memory corruption or a kernel crash. The description indicates a local denial‑of‑service condition rather than remote code execution, as the flaw resides in kernel cleanup performed during device attachment.

Affected Systems

The issue is present in all Linux kernel builds that include the COMEDI ni_atmio16d driver. Any system that loads this module—either through built‑in configuration or as a module—may experience the unchecked cleanup path. Because no specific kernel version is listed, all releases prior to the upstream fix are potentially affected until the kernel is updated with the commit that introduces a NULL check.

Risk and Exploitability

The advisory does not provide CVSS or EPSS scores, but a null‑pointer dereference during kernel teardown can lead to a denial of service or, in rare cases, memory corruption. There is no listing in CISA’s KEV catalog and no known public exploits at the time of writing. Exploitation likely requires local or privileged access to provoke the failed attach sequence, for example by loading a malformed device driver or supplying invalid parameters that cause the attach to return an error. No remote attack vector is described in the CVE data.

Generated by OpenCVE AI on May 2, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that incorporates the fix introduced by commit 101ab946b79ad83b36d5cfd47de587492a80acf0 or later
  • If the system cannot be updated immediately, unload or disable the ni_atmio16d COMEDI module to prevent the faulty cleanup code from executing
  • For environments that must use the driver, apply a local patch that adds a NULL check before calling reset_atmio16d(), modeled after the upstream change
  • If the driver is not required, disable COMEDI support in the kernel configuration to eliminate the vulnerable code path

Generated by OpenCVE AI on May 2, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Sat, 02 May 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-476

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References

Fri, 01 May 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-476

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: comedi: ni_atmio16d: Fix invalid clean-up after failed attach If the driver's COMEDI "attach" handler function (`atmio16d_attach()`) returns an error, the COMEDI core will call the driver's "detach" handler function (`atmio16d_detach()`) to clean up. This calls `reset_atmio16d()` unconditionally, but depending on where the error occurred in the attach handler, the device may not have been sufficiently initialized to call `reset_atmio16d()`. It uses `dev->iobase` as the I/O port base address and `dev->private` as the pointer to the COMEDI device's private data structure. `dev->iobase` may still be set to its initial value of 0, which would result in undesired writes to low I/O port addresses. `dev->private` may still be `NULL`, which would result in null pointer dereferences. Fix `atmio16d_detach()` by checking that `dev->private` is valid (non-null) before calling `reset_atmio16d()`. This implies that `dev->iobase` was set correctly since that is set up before `dev->private`.
Title comedi: ni_atmio16d: Fix invalid clean-up after failed attach
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:42.227Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31749

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:37.723

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31749

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31749 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses