Wind River Support Network

HomeDefectsLIN1025-13714
Acknowledged

LIN1025-13714 : Security Advisory - linux - CVE-2026-31576

Created: Apr 27, 2026    Updated: Apr 30, 2026
Found In Version: 10.25.33.2
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:  media: hackrf: fix to not free memory after the device is registered in hackrf_probe()  In hackrf driver, the following race condition occurs: ``` 		CPU0						CPU1 hackrf_probe()   kzalloc(); // alloc hackrf_dev   ....   v4l2_device_register();   .... 						fd = sys_open("/path/to/dev"); // open hackrf fd 						....   v4l2_device_unregister();   ....   kfree(); // free hackrf_dev   .... 						sys_ioctl(fd, ...); 						  v4l2_ioctl(); 						    video_is_registered() // UAF!! 						.... 						sys_close(fd); 						  v4l2_release() // UAF!! 						    hackrf_video_release() 						      kfree(); // DFB!! ```  When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked.  However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked.  Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet.  And since release() free memory too, race to use-after-free and double-free vuln occur.  To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.
  • Linkedin
  • Facebook
  • Twitter
  • Youtube