{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31621", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.123Z", "datePublished": "2026-04-24T14:42:39.274Z", "dateUpdated": "2026-05-11T22:12:21.098Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:21.098Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnge: return after auxiliary_device_uninit() in error path\n\nWhen auxiliary_device_add() fails, the error block calls\nauxiliary_device_uninit() but does not return. The uninit drops the\nlast reference and synchronously runs bnge_aux_dev_release(), which sets\nbd->auxr_dev = NULL and frees the underlying object. The subsequent\nbd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a\ngood thing to have happen when trying to clean up from an error.\n\nAdd the missing return, as the auxiliary bus documentation states is a\nrequirement (seems that LLM tools read documentation better than humans\ndo...)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnge/bnge_auxr.c"], "versions": [{"version": "8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554", "lessThan": "38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a", "status": "affected", "versionType": "git"}, {"version": "8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554", "lessThan": "87bc3557c708110d83086bf091328271298a44e3", "status": "affected", "versionType": "git"}, {"version": "8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554", "lessThan": "8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnge/bnge_auxr.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a"}, {"url": "https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3"}, {"url": "https://git.kernel.org/stable/c/8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce"}], "title": "bnge: return after auxiliary_device_uninit() in error path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnge: return after auxiliary_device_uninit() in error path\n\nWhen auxiliary_device_add() fails, the error block calls\nauxiliary_device_uninit() but does not return. The uninit drops the\nlast reference and synchronously runs bnge_aux_dev_release(), which sets\nbd->auxr_dev = NULL and frees the underlying object. The subsequent\nbd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a\ngood thing to have happen when trying to clean up from an error.\n\nAdd the missing return, as the auxiliary bus documentation states is a\nrequirement (seems that LLM tools read documentation better than humans\ndo...)"}], "id": "CVE-2026-31621", "lastModified": "2026-04-28T14:05:14.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:41.380", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bnge: return after auxiliary_device_uninit() in error path", "id": "2461531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461531"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's bnge driver. When an error occurs during device initialization, the driver fails to return after deallocating a device, leading to a null pointer dereference. This can cause system instability or a crash, resulting in a Denial of Service (DoS) for affected systems."], "name": "CVE-2026-31621", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31621\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31621\nhttps://lore.kernel.org/linux-cve-announce/2026042425-CVE-2026-31621-0c38@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554,38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554,87bc3557c708110d83086bf091328271298a44e3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ac050ec3b1c0dcb5e89cf86fe2ebe0afcc73554,8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:09:35.058318+00:00", "value": {"mitigation_remediation": ["Apply the kernel commit that adds a return after auxiliary_device_uninit in the error path.", "Ensure the running kernel is at least the patched revision by upgrading to a newer kernel image.", "If immediate kernel upgrade is not possible, avoid invoking auxiliary_device_add calls that might fail or disable auxiliary bus drivers while the unpatched code is in use."], "summary": {"action": "Immediate Patch", "impact": "NULL pointer dereference causing kernel crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "All Linux kernels that include the auxiliary bus implementation and have not applied the commit that adds the missing return are affected. No specific version list is provided, so any kernel prior to the patch is considered vulnerable.", "description_and_impact": "In the Linux kernel, an error in the auxiliary bus code causes a NULL pointer dereference during cleanup of a failed auxiliary_device_add. The missing return statement allows the uninit routine to execute and free the auxiliary device structure, after which the code touches stored fields of the now\u2011NULL structure, leading to a kernel crash. This flaw involves a null pointer dereference (CWE\u2011476) and a missing return control flow error (CWE\u2011908) that results in a denial of service by causing the kernel to panic. The vulnerability does not provide a direct path for privilege escalation or data exfiltration; its primary impact is loss of availability.", "risk_and_exploitability": "The EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a very low probability of prevalence in the wild. Exploitation would require local privileged code path to trigger the failed auxiliary_device_add, which is unlikely in most deployments. The high impact of a kernel crash makes prompt remediation important, but the low likelihood reduces urgency for environments that cannot immediately update the kernel. The CVSS score of 5.5 indicates moderate severity."}}}}, "created": "2026-04-27T18:45:11.329211+00:00", "updated": "2026-04-28T20:15:26.824034+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}