{ "public_date" : "2026-04-24T00:00:00Z", "bugzilla" : { "description" : "kernel: media: as102: fix to not free memory after the device is registered in as102_usb_probe()", "id" : "2461576", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461576" }, "cwe" : "CWE-364", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\nIn as102_usb driver, the following race condition occurs:\n```\nCPU0CPU1\nas102_usb_probe()\nkzalloc(); // alloc as102_dev_t\n....\nusb_register_dev();\nfd = sys_open(\"/path/to/dev\"); // open as102 fd\n....\nusb_deregister_dev();\n....\nkfree(); // free as102_dev_t\n....\nsys_close(fd);\nas102_release() // UAF!!\nas102_usb_release()\nkfree(); // DFB!!\n```\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver's .release() is invoked.\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --> as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\nIn other words, let release() perform the last kfree when the final open\nFD is closed.", "A flaw was found in the Linux kernel's as102_usb driver. A local user could exploit a race condition during the handling of USB device registration and deregistration. This vulnerability occurs when a device's memory is prematurely freed while an open file descriptor still exists, leading to a use-after-free or double-free condition. Such memory corruption could potentially allow for privilege escalation or cause a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31578\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31578\nhttps://lore.kernel.org/linux-cve-announce/2026042410-CVE-2026-31578-fd48@gregkh/T" ], "name" : "CVE-2026-31578", "csaw" : false }