Use-After-Free Vulnerability in Linux Kernel Affecting CXL Devices
CVE-2026-31530

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-31530?

A use-after-free vulnerability exists in the Linux kernel related to CXL (Compute Express Link) memory devices. The issue occurs in the cxl_detach_ep() function during the bottom-up removal process, potentially leading to memory corruption. This situation arises when the parent port of a detached endpoint can be accessed after it has already been freed. Without proper reference management, concurrent detachments can cause a scenario where a freed parent port is improperly accessed, resulting in silent memory corruption in production environments. Developers are advised to implement a lifetime rule ensuring child ports hold references to their parent devices throughout their lifecycle, thereby preventing such vulnerabilities.

Affected Version(s)

Linux 2345df54249c6fb7779e2a72b427ee79ed3eaad5

Linux 2345df54249c6fb7779e2a72b427ee79ed3eaad5 < 2c32141462045cf93d54a5146a0ba572b83533dd

Linux 2345df54249c6fb7779e2a72b427ee79ed3eaad5

References

https://git.kernel.org/stable/c/d216a4bd138eb57cc4ae7c43b...

https://git.kernel.org/stable/c/2c32141462045cf93d54a5146...

https://git.kernel.org/stable/c/f7dc6f381a1e5f068333f1faa...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31530 Data

JSON