Device Lock Enforcement in Linux Kernel Affects Driver Functionality
CVE-2026-31688

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-31688?

A vulnerability in the Linux kernel involves improper enforcement of device locks within the driver core. The function driver_match_device() is invoked from various sites, leading to inconsistent lock handling. Specifically, while __device_attach_driver correctly holds the device lock, the other invocations do not, allowing bus match() callbacks to execute without the lock, creating a race condition. To resolve this, the new function driver_match_device_locked() ensures that device locks are consistently held, mitigating the risks of use-after-free conditions seen in the driver_override implementation. Stress testing confirmed the absence of race conditions or lock warnings following the implemented changes.

Affected Version(s)

Linux 49b420a13ff95b449947181190b08367348e3e1b

Linux 2.6.30

References

https://git.kernel.org/stable/c/dc23806a7c47ec5f1293aba40...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31688 Data

JSON