CVE-2026-31399
Description
In the Linux kernel, the following vulnerability has been resolved:
nvdimm/bus: Fix potential use after free in asynchronous initialization
Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register().
Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free.
The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel nvdimm/bus when device_add() fails during async initialization due to missing parent pointer reference.
Vulnerability
Description
In the Linux kernel's NVDIMM subsystem, a use-after-free vulnerability exists in the nd_async_device_register() function. The issue occurs when device_add() fails (e.g., due to memory allocation failure). Prior patch b6eae0f61db2 added a reference on the parent device to be held until async initialization completes, but if device_add() fails, the device's reference count drops to zero before the parent pointer is accessed, leading to a use-after-free condition. This was reported by Dingisoul with KASAN [1].
Exploitation
Exploitation requires triggering a failure in device_add() during NVDIMM device registration. An attacker with the ability to influence memory pressure or cause resource exhaustion could potentially trigger this condition. The vulnerability is local and requires access to the NVDIMM subsystem, but no special privileges are needed beyond being able to trigger device registration.
Impact
A successful exploit could lead to memory corruption with potential escalation of privilege or system crash (denial of service). The use-after-free allows an attacker to manipulate freed memory, potentially leading to arbitrary code execution in kernel context.
Mitigation
The fix involves saving a reference to the parent pointer before calling device_add(), ensuring the parent reference is properly dropped regardless of the outcome [1]. The patch has been applied to the stable kernel trees as referenced in the commits. Users should update to the latest stable kernel containing these fixes.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2c638259ad750833fd46a0cf57672a618542d84cnvdPatch
- git.kernel.org/stable/c/6fc36c2a925ceaba203eb13d75a8f0879a2c121bnvdPatch
- git.kernel.org/stable/c/84af19855d1abdee3c9d57c0684e2868e391793cnvdPatch
- git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4dnvdPatch
- git.kernel.org/stable/c/a226e5b49e5fe8c98b14f8507de670189d191348nvdPatch
- git.kernel.org/stable/c/a36cf138500e56f50db9f9a33222df6969b38326nvdPatch
- git.kernel.org/stable/c/a8aec14230322ed8f1e8042b6d656c1631d41163nvdPatch
- git.kernel.org/stable/c/e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20envdPatch
News mentions
0No linked articles in our index yet.