Use-After-Free Vulnerability in Linux Kernel Affecting Vub300 Driver
CVE-2026-31650

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-31650?

A vulnerability within the Linux kernel's vub300 driver has been identified, which can lead to a use-after-free situation upon disconnecting the device. This flaw emerges from the incorrect management of reference counts for the controller, allowing the last reference to be dropped after unbinding the driver. As a result, memory that is still in use may inadvertently be released, leading to potential memory leaks. Additionally, the current lifetime management of the controller is tied incorrectly to the parent USB device rather than to the interface itself. This misconfiguration can create instability, particularly if the driver is unbound without physically disconnecting the device. Addressing this issue necessitates returning to non-managed memory allocation for the controller.

Affected Version(s)

Linux dcfdd698dc521c6046e9b80c16281575efb25d23

Linux dcfdd698dc521c6046e9b80c16281575efb25d23 < 8f4d20a710225ec7a565f6a0459862d3b1f32330

References

https://git.kernel.org/stable/c/ea7468f61be033f4e18b95f29...

https://git.kernel.org/stable/c/ef0448c569b37ceabdd038e9f...

https://git.kernel.org/stable/c/8f4d20a710225ec7a565f6a04...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31650 Data

JSON