Linux kernel: UAF in nvdimm bus async init (CVE-2026-31399)
CVE-2026-31399 Published on April 3, 2026
nvdimm/bus: Fix potential use after free in asynchronous initialization
In the Linux kernel, the following vulnerability has been resolved:
nvdimm/bus: Fix potential use after free in asynchronous initialization
Dingisoul with KASAN reports a use after free if device_add() fails in
nd_async_device_register().
Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while
scheduling async init") correctly added a reference on the parent device
to be held until asynchronous initialization was complete. However, if
device_add() results in an allocation failure the ref count of the
device drops to 0 prior to the parent pointer being accessed. Thus
resulting in use after free.
The bug bot AI correctly identified the fix. Save a reference to the
parent pointer to be used to drop the parent reference regardless of the
outcome of device_add().
Products Associated with CVE-2026-31399
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version b6eae0f61db27748606cc00dafcfd1e2c032f0a5 and below 9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d is affected.
- Version b6eae0f61db27748606cc00dafcfd1e2c032f0a5 and below e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e is affected.
- Version b6eae0f61db27748606cc00dafcfd1e2c032f0a5 and below 2c638259ad750833fd46a0cf57672a618542d84c is affected.
- Version b6eae0f61db27748606cc00dafcfd1e2c032f0a5 and below a226e5b49e5fe8c98b14f8507de670189d191348 is affected.
- Version b6eae0f61db27748606cc00dafcfd1e2c032f0a5 and below 84af19855d1abdee3c9d57c0684e2868e391793c is affected.
- Version b6eae0f61db27748606cc00dafcfd1e2c032f0a5 and below a8aec14230322ed8f1e8042b6d656c1631d41163 is affected.
- Version 8954771abdea5c34280870e35592c7226a816d95 is affected.
- Version 3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab is affected.
- Version 1490de2bb0836fc0631c04d0559fdf81545b672f is affected.
- Version e31a8418c8df7e6771414f99ed3d95ba8aca4e05 is affected.
- Version 4f1a55a4f990016406147cf3e0c9487bf83e50f0 is affected.
- Version 4.20 is affected.
- Before 4.20 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.20, <= 6.18.* is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.