{ "public_date" : "2026-04-24T00:00:00Z", "bugzilla" : { "description" : "kernel: media: hackrf: fix to not free memory after the device is registered in hackrf_probe()", "id" : "2461445", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461445" }, "cwe" : "CWE-364", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmedia: hackrf: fix to not free memory after the device is registered in hackrf_probe()\nIn hackrf driver, the following race condition occurs:\n```\nCPU0CPU1\nhackrf_probe()\nkzalloc(); // alloc hackrf_dev\n....\nv4l2_device_register();\n....\nfd = sys_open(\"/path/to/dev\"); // open hackrf fd\n....\nv4l2_device_unregister();\n....\nkfree(); // free hackrf_dev\n....\nsys_ioctl(fd, ...);\nv4l2_ioctl();\nvideo_is_registered() // UAF!!\n....\nsys_close(fd);\nv4l2_release() // UAF!!\nhackrf_video_release()\nkfree(); // DFB!!\n```\nWhen a V4L2 or video device is unregistered, the device node is removed so\nnew open() calls are blocked.\nHowever, file descriptors that are already open-and any in-flight I/O-do\nnot terminate immediately; they remain valid until the last reference is\ndropped and the driver's release() is invoked.\nTherefore, freeing device memory on the error path after hackrf_probe()\nhas registered dev it will lead to a race to use-after-free vuln, since\nthose already-open handles haven't been released yet.\nAnd since release() free memory too, race to use-after-free and\ndouble-free vuln occur.\nTo prevent this, if device is registered from probe(), it should be\nmodified to free memory only through release() rather than calling\nkfree() directly.", "A flaw was found in the Linux kernel's hackrf driver. A race condition exists where memory for the hackrf device is freed prematurely during device unregistration, even when file descriptors are still in use. This allows a local user to trigger a use-after-free and double-free vulnerability. Successful exploitation can lead to system instability, crashes, or a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31576\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31576\nhttps://lore.kernel.org/linux-cve-announce/2026042410-CVE-2026-31576-e770@gregkh/T" ], "name" : "CVE-2026-31576", "csaw" : false }