In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: possible double-free of cctx->remote_heap fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap again if it is non-NULL, which can lead to a double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg device is subsequently removed/unbound. Clear cctx->remote_heap after freeing it in the error path to prevent the later cleanup from freeing it again. This issue was found by an in-house analysis workflow that extracts AST-based information and runs static checks, with LLM assistance for triage, and was confirmed by manual code review. No hardware testing was performed.

A flaw was found in the Linux kernel's fastrpc component that could lead to a denial of service (DoS) or potentially arbitrary code execution. This memory corruption vulnerability, specifically a double-free, occurs when the cctx->remote_heap memory is freed twice due to an error handling issue in the fastrpc_init_create_static_process() function. If the INIT_CREATE_STATIC ioctl hits an error path and the rpmsg device is subsequently removed, fastrpc_rpmsg_remove() attempts to free the same memory again.

Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31730 https://nvd.nist.gov/vuln/detail/CVE-2026-31730 https://lore.kernel.org/linux-cve-announce/2026050136-CVE-2026-31730-ff8a@gregkh/T