CVE-2026-31760 - Vulnerability Details

- gpib: lpvo_usb: fix memory leak on disconnect

Description

In the Linux kernel, the following vulnerability has been resolved:

gpib: lpvo_usb: fix memory leak on disconnect

The driver iterates over the registered USB interfaces during GPIB
attach and takes a reference to their USB devices until a match is
found. These references are never released which leads to a memory leak
when devices are disconnected.

Fix the leak by dropping the unnecessary references.

Published: 2026-05-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s GPIB driver contains a memory leak that occurs when a GPIB USB adapter is disconnected. The driver retains references to USB devices after a successful match, never releasing them. Over time, repeated connect and disconnect operations increase kernel memory consumption until a critical level is reached, potentially leading to kernel instability or a system-wide slowdown.

Affected Systems

The flaw is present in the Linux kernel itself; no particular vendor or version is specified, so every kernel release that has not incorporated the patch could be affected. Users of any Linux system running a kernel that still includes the buggy GPIB driver are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity risk, while the EPSS score of < 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. The leak requires repeated disconnects of GPIB USB adapters to accumulate a significant memory drain, making immediate exploitation unlikely. However, sustained use of GPIB adapters over time can gradually degrade system reliability and may lead to a denial of service through kernel memory exhaustion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fce79512a96afacbe297ba3c5c2f7ed34944540d`	affected	< 21f942879f86108b300a23683e67483f8c358fc7
`fce79512a96afacbe297ba3c5c2f7ed34944540d`	affected	< 706f4fe2dacc95d65e7c8dff321711f024bb8d20
`fce79512a96afacbe297ba3c5c2f7ed34944540d`	affected	< 5cefb52c1af6f69ea719e42788f6ec6a087eb74c

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fce79512a96afacbe297ba3c5c2f7ed34944540d,21f942879f86108b300a23683e67483f8c358fc7)`	affected	code_commit	—
`[fce79512a96afacbe297ba3c5c2f7ed34944540d,706f4fe2dacc95d65e7c8dff321711f024bb8d20)`	affected	code_commit	—
`[fce79512a96afacbe297ba3c5c2f7ed34944540d,5cefb52c1af6f69ea719e42788f6ec6a087eb74c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	generic	—
`[0,6.13)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that includes the patch for the GPIB driver memory leak
If an update cannot be applied promptly, reduce the frequency of GPIB USB device connect/disconnect cycles to minimize memory growth
Monitor system memory usage for abnormal trends that may indicate the leak is active

Generated by OpenCVE AI on May 8, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/21f942879f86108b300a23683e67483f8c358fc7
https://git.kernel.org/stable/c/5cefb52c1af6f69ea719e42788f6ec6a087eb74c
https://git.kernel.org/stable/c/706f4fe2dacc95d65e7c8dff321711f024bb8d20
https://lore.kernel.org/linux-cve-announce/2026050145-CVE-2026-31760-05cb@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31760
https://www.cve.org/CVERecord?id=CVE-2026-31760

History

Fri, 08 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026050145-CVE-2026-31760-05cb@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31760 https://www.cve.org/CVERecord?id=CVE-2026-31760

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: gpib: lpvo_usb: fix memory leak on disconnect The driver iterates over the registered USB interfaces during GPIB attach and takes a reference to their USB devices until a match is found. These references are never released which leads to a memory leak when devices are disconnected. Fix the leak by dropping the unnecessary references.
Title		gpib: lpvo_usb: fix memory leak on disconnect
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/21f942879f86108b300a23683e67483f8c358fc7 https://git.kernel.org/stable/c/5cefb52c1af6f69ea719e42788f6ec6a087eb74c https://git.kernel.org/stable/c/706f4fe2dacc95d65e7c8dff321711f024bb8d20

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:52.553Z

Updated: 2026-05-11T22:15:17.036Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31760

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-01T15:16:39.047

Modified: 2026-05-08T18:11:51.870

Link: CVE-2026-31760

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31760 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T20:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object