{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31475", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:04.113Z", "dateUpdated": "2026-05-11T22:09:27.257Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:27.257Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: fix double free of devm_kzalloc() memory\n\nA previous change added NULL checks and cleanup for allocation\nfailures in sma1307_setting_loaded().\n\nHowever, the cleanup for mode_set entries is wrong. Those entries are\nallocated with devm_kzalloc(), so they are device-managed resources and\nmust not be freed with kfree(). Manually freeing them in the error path\ncan lead to a double free when devres later releases the same memory.\n\nDrop the manual kfree() loop and let devres handle the cleanup."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/soc/codecs/sma1307.c"], "versions": [{"version": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8", "lessThan": "d472d1a52985211b92883bb64bbe710b45980190", "status": "affected", "versionType": "git"}, {"version": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8", "lessThan": "1a82c3272626db9006f4c2cad3adf2916417aed6", "status": "affected", "versionType": "git"}, {"version": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8", "lessThan": "fe757092d2329c397ecb32f2bf68a5b1c4bd9193", "status": "affected", "versionType": "git"}, {"version": "f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/soc/codecs/sma1307.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190"}, {"url": "https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6"}, {"url": "https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193"}], "title": "ASoC: sma1307: fix double free of devm_kzalloc() memory", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2932EEA2-2EDB-4FE6-9BF4-C1F90FF22950", "versionEndExcluding": "6.15", "versionStartIncluding": "6.14.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "36BA90C1-6493-4928-A360-8DF69289C352", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*", "matchCriteriaId": "A1ECC65A-EE37-4479-8E99-4BB68A22A31F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: fix double free of devm_kzalloc() memory\n\nA previous change added NULL checks and cleanup for allocation\nfailures in sma1307_setting_loaded().\n\nHowever, the cleanup for mode_set entries is wrong. Those entries are\nallocated with devm_kzalloc(), so they are device-managed resources and\nmust not be freed with kfree(). Manually freeing them in the error path\ncan lead to a double free when devres later releases the same memory.\n\nDrop the manual kfree() loop and let devres handle the cleanup."}], "id": "CVE-2026-31475", "lastModified": "2026-04-27T23:25:50.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:44.207", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ASoC: sma1307: fix double free of devm_kzalloc() memory", "id": "2460700", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460700"}, "csaw": false, "cwe": "CWE-763", "details": ["A flaw was found in the Linux kernel's ASoC sma1307 component. An incorrect cleanup operation attempts to manually free memory that is already managed by the device resource management (devres) system. This can lead to a double free vulnerability, potentially causing memory corruption and system instability, which could result in a denial of service."], "name": "CVE-2026-31475", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31475\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31475\nhttps://lore.kernel.org/linux-cve-announce/2026042256-CVE-2026-31475-74ed@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,d472d1a52985211b92883bb64bbe710b45980190)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,1a82c3272626db9006f4c2cad3adf2916417aed6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,fe757092d2329c397ecb32f2bf68a5b1c4bd9193)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:09:18.790043+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that integrates commit 1a82c3272626db9006f4c2cad3adf2916417aed6, such as the latest 6.15 or 7.0 release that contains the fix.", "If the sma1307 audio codec is not required, disable or unload the driver to remove the attack surface.", "Continuously monitor kernel logs (e.g., dmesg) for indications of double\u2011free, kfree errors, or unexpected crashes that could signal an attempted exploitation."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems run Linux kernel versions that include the sma1307 driver before the revert commit. The vulnerability is present in kernel 6.15 and all 7.0 release candidates up to rc7. Any system that has the sma1307 driver enabled and is running a kernel before the applied patch is susceptible. Systems using more recent stable kernels that incorporate the fix are not affected.", "description_and_impact": "A memory\u2011management flaw was discovered in the Linux kernel\u2019s Advanced Sound Architecture (ASoC) driver for the sma1307 audio codec. The bug arises when the driver attempts to free device\u2011managed memory allocated with devm_kzalloc() via a manual kfree() loop during error handling. Because devm_kzalloc() memory is automatically freed by the device\u2011resource allocator, the manual kfree causes a double\u2011free (CWE-415). This misuse also violates device\u2011resource management best practices (CWE-763). A double\u2011free can corrupt kernel memory, potentially leading to a kernel panic or other unintended behavior, but there is no documented evidence that it can be leveraged for privilege escalation.", "risk_and_exploitability": "The CVSS score of 7.8 reflects high severity, while the EPSS score of <\u202f1\u202f% indicates a low likelihood of exploitation in the wild. The issue is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to trigger the driver\u2019s error path, which generally necessitates local presence or the ability to load the driver. Once triggered, it can lead to a kernel panic, service disruption, or other unintended behavior. Administrators should treat it as a high\u2011risk local vulnerability."}}}}, "created": "2026-04-22T16:45:21.250060+00:00", "updated": "2026-04-29T00:15:43.469395+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}