Linux Kernel Driver Override UAF via __driver_attach() without Lock
CVE-2026-31527 Published on April 22, 2026
driver core: platform: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved:
driver core: platform: use generic driver_override infrastructure
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Products Associated with CVE-2026-31527
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 3d713e0e382e6fcfb4bba1501645b66c129ad60b and below 9a6086d2a828dd2ff74cf9abcae456670febd71f is affected.
- Version 3d713e0e382e6fcfb4bba1501645b66c129ad60b and below 7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1 is affected.
- Version 3d713e0e382e6fcfb4bba1501645b66c129ad60b and below edee7ee5a14c3b33f6d54641f5af5c5e9180992d is affected.
- Version 3d713e0e382e6fcfb4bba1501645b66c129ad60b and below 2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d is affected.
- Version 3.17 is affected.
- Before 3.17 is unaffected.
- Version 6.12.80, <= 6.12.* is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.