{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31527", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.111Z", "datePublished": "2026-04-22T13:54:40.485Z", "dateUpdated": "2026-05-11T22:10:31.339Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:31.339Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: platform: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/base/platform.c", "drivers/bus/simple-pm-bus.c", "drivers/clk/imx/clk-scu.c", "drivers/slimbus/qcom-ngd-ctrl.c", "include/linux/platform_device.h", "sound/soc/samsung/i2s.c"], "versions": [{"version": "3d713e0e382e6fcfb4bba1501645b66c129ad60b", "lessThan": "9a6086d2a828dd2ff74cf9abcae456670febd71f", "status": "affected", "versionType": "git"}, {"version": "3d713e0e382e6fcfb4bba1501645b66c129ad60b", "lessThan": "7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1", "status": "affected", "versionType": "git"}, {"version": "3d713e0e382e6fcfb4bba1501645b66c129ad60b", "lessThan": "edee7ee5a14c3b33f6d54641f5af5c5e9180992d", "status": "affected", "versionType": "git"}, {"version": "3d713e0e382e6fcfb4bba1501645b66c129ad60b", "lessThan": "2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/base/platform.c", "drivers/bus/simple-pm-bus.c", "drivers/clk/imx/clk-scu.c", "drivers/slimbus/qcom-ngd-ctrl.c", "include/linux/platform_device.h", "sound/soc/samsung/i2s.c"], "versions": [{"version": "3.17", "status": "affected"}, {"version": "0", "lessThan": "3.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f"}, {"url": "https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1"}, {"url": "https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d"}, {"url": "https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d"}], "title": "driver core: platform: use generic driver_override infrastructure", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "564BF73E-2070-41D2-8204-794C46879E01", "versionEndExcluding": "6.12.80", "versionStartIncluding": "3.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: platform: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]"}], "id": "CVE-2026-31527", "lastModified": "2026-04-28T18:02:17.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:52.903", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: driver core: platform: use generic driver_override infrastructure", "id": "2460682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460682"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-413", "details": ["A flaw was found in the Linux kernel. When a driver is probed, the `match()` callback can access the `driver_override` field without proper locking, leading to a Use-After-Free (UAF) vulnerability. This memory corruption flaw could allow a local attacker to escalate privileges or execute arbitrary code."], "name": "CVE-2026-31527", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31527\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31527\nhttps://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31527-a1bc@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3d713e0e382e6fcfb4bba1501645b66c129ad60b,9a6086d2a828dd2ff74cf9abcae456670febd71f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3d713e0e382e6fcfb4bba1501645b66c129ad60b,7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3d713e0e382e6fcfb4bba1501645b66c129ad60b,edee7ee5a14c3b33f6d54641f5af5c5e9180992d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3d713e0e382e6fcfb4bba1501645b66c129ad60b,2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:55:38.501619+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to the patched version that includes the driver_override locking fix.", "If the upgrade cannot be applied immediately, stop or unload platform drivers that depend on driver_override until the patch is installed.", "Enable kernel module signing, secure boot, or other module\u2011loading restrictions to limit untrusted driver loading as a temporary safeguard."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free leading to potential arbitrary code execution"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that do not yet include the driver_override locking fix. The vulnerability affects platform drivers in the production kernel; the exact version range is not specified, so any system running a kernel prior to the patch is at risk.", "description_and_impact": "In the Linux kernel, the driver attachment routine can access the driver_override field without holding the necessary device lock, creating a use\u2011after\u2011free condition during the bus match callback. This flaw is a typical use\u2011after\u2011free (CWE\u2011413) that can corrupt memory or trigger unintended execution paths if the driver structure is freed while still being referenced.", "risk_and_exploitability": "The flaw can be exploited locally by triggering a device match during attachment, such as through a malicious device or automated device enumeration. The likely attack vector is local device interaction, allowing an attacker with physical or remote local access to induce the improper match(). The CVSS score of 7.8 indicates high severity, the EPSS score of <\u202f1\u202f% suggests a low exploitation probability at this time, and the vulnerability is not listed in CISA KEV. The lack of device lock protection during match() is the critical weakness, and an attacker with local access could use this to gain kernel privileges, making the risk moderate to high for exposed systems."}}}}, "created": "2026-04-27T19:30:11.879840+00:00", "updated": "2026-04-29T00:00:13.840122+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}