CVE-2026-31573

The vulnerability resides in the Verisilicon Hantro VPU driver (hantro_vpu) in the Linux kernel. The imx8mq_vpu_shared_resources array was annotated with __initconst, which causes the data to be placed in a section that is freed after module initialization. However, this array is referenced by variant structures via the shared_devices field, which is accessed during non-init probe code. When the driver is built as a module, the freed memory is later accessed, resulting in a kernel panic due to a page fault [1][2].

Exploitation occurs during normal driver probe operations, such as initial module loading, probe deferrals, or unbind-bind cycles. No special privileges are required beyond the ability to load the affected kernel module. The panic manifests as an "Unable to handle kernel paging request" at the virtual address of the freed array, typically triggered when the system boots or when the VPU hardware is discovered.

The impact is a denial of service via kernel panic. While the immediate effect is system crash, the use-after-free condition could potentially be leveraged for privilege escalation in certain scenarios, but the primary risk is system instability. The vulnerability affects systems using the Hantro VPU driver, commonly found in embedded platforms like i.MX8MQ.

The fix is to remove the __initconst annotation so that the array resides in the normal .rodata section and is not freed after init. The patch has been applied to the Linux kernel stable branches [1][2]. Users should update to a kernel version containing this commit to prevent the panic.