{"id":"CVE-2026-23158","summary":"gpio: virtuser: fix UAF in configfs release path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: virtuser: fix UAF in configfs release path\n\nThe gpio-virtuser configfs release path uses guard(mutex) to protect\nthe device structure. However, the device is freed before the guard\ncleanup runs, causing mutex_unlock() to operate on freed memory.\n\nSpecifically, gpio_virtuser_device_config_group_release() destroys\nthe mutex and frees the device while still inside the guard(mutex)\nscope. When the function returns, the guard cleanup invokes\nmutex_unlock(&dev-\u003elock), resulting in a slab use-after-free.\n\nLimit the mutex lifetime by using a scoped_guard() only around the\nactivation check, so that the lock is released before mutex_destroy()\nand kfree() are called.","modified":"2026-04-02T17:30:48.719352373Z","published":"2026-02-14T16:01:24.568Z","related":["SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23158.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/53ad4a948a4586359b841d607c08fb16c5503230"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7bec90f605cfb138006f5ba575f2310593347110"},{"type":"WEB","url":"https://git.kernel.org/stable/c/815a8e3bf72811d402b30bd4a53cde5e9df7a563"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23158.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23158"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"91581c4b3f29e2e22aeb1a62e842d529ca638b2d"},{"fixed":"815a8e3bf72811d402b30bd4a53cde5e9df7a563"},{"fixed":"7bec90f605cfb138006f5ba575f2310593347110"},{"fixed":"53ad4a948a4586359b841d607c08fb16c5503230"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23158.json"}}],"schema_version":"1.7.5"}