{"id":"CVE-2026-31578","summary":"media: as102: fix to not free memory after the device is registered in as102_usb_probe()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\n\nIn as102_usb driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nas102_usb_probe()\n  kzalloc(); // alloc as102_dev_t\n  ....\n  usb_register_dev();\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open as102 fd\n\t\t\t\t\t\t....\n  usb_deregister_dev();\n  ....\n  kfree(); // free as102_dev_t\n  ....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t  as102_release() // UAF!!\n\t\t\t\t\t\t    as102_usb_release()\n\t\t\t\t\t\t      kfree(); // DFB!!\n```\n\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver's .release() is invoked.\n\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --\u003e as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\n\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\n\nIn other words, let release() perform the last kfree when the final open\nFD is closed.","modified":"2026-06-18T03:57:05.826093198Z","published":"2026-04-24T14:42:09.519Z","related":["CGA-8whg-ph4j-hw9h","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31578.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/07ceb444c8f627cf863864d4274b5a77769725ed"},{"type":"WEB","url":"https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0d36653a3a821e5a974798adb347b3ea09332914"},{"type":"WEB","url":"https://git.kernel.org/stable/c/25d500cf391e384356a612b85cf60b353ad3cd0c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032"},{"type":"WEB","url":"https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cb8092038e95dc1113a68e63762de40fff61ba71"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31578.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31578"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c"},{"fixed":"0d36653a3a821e5a974798adb347b3ea09332914"},{"fixed":"25d500cf391e384356a612b85cf60b353ad3cd0c"},{"fixed":"07ceb444c8f627cf863864d4274b5a77769725ed"},{"fixed":"cb8092038e95dc1113a68e63762de40fff61ba71"},{"fixed":"582fbecb3756330006fe1950762412a68c2cacd2"},{"fixed":"09e9206008b887aa553733bd915d73131071a086"},{"fixed":"2eeae47a438694408189138048a786be99954032"},{"fixed":"7e5aedf6059cba2a669d86caeaf5a51f33ec85a1"},{"fixed":"8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31578.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.14.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31578.json"}}],"schema_version":"1.7.5"}