CVE-2026-31576

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

Assigner: Linux
Reserved: 09.03.2026 Published: 24.04.2026 Updated: 24.04.2026

In the Linux kernel, the following vulnerability has been resolved:

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

In hackrf driver, the following race condition occurs: CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!!

When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked.

However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked.

Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet.

And since release() free memory too, race to use-after-free and double-free vuln occur.

To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 98a0a81ce78020c2522e0046f49d200de9778cb9 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 07e9e674b6146b1f6fc41b1f54b8968bf2802824 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 2145c71a8044362e82e9923f001ba2aeb771b848 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to fcd1d70792a35c8a97414fe429f48311e41269c2 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 98a0a81ce78020c2522e0046f49d200de9778cb9 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 07e9e674b6146b1f6fc41b1f54b8968bf2802824 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 2145c71a8044362e82e9923f001ba2aeb771b848 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to fcd1d70792a35c8a97414fe429f48311e41269c2 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected unaffected from 6.12.83 to 6.12.* (incl.) unaffected from 6.18.24 to 6.18.* (incl.) unaffected from 6.19.14 to 6.19.* (incl.) unaffected from 7.0.1 to 7.0.* (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

unaffected from 6.12.83 to 6.12.* (incl.)
unaffected from 6.18.24 to 6.18.* (incl.)
unaffected from 6.19.14 to 6.19.* (incl.)
unaffected from 7.0.1 to 7.0.* (incl.)

References

CVE-2026-31576 PUBLISHED

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

Product Status

References