Vulnerabilities ›

CVE-2026-31576

High

CWE-416 — Weakness Type

                    Published: Apr 24, 2026                      ·  Modified: May 1, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

In hackrf driver, the following race condition occurs:
```
CPU0 CPU1
hackrf_probe()
kzalloc(); // alloc hackrf_dev
....
v4l2_device_register();
....
fd = sys_open("/path/to/dev"); // open hackrf fd
....
v4l2_device_unregister();
....
kfree(); // free hackrf_dev
....
sys_ioctl(fd, ...);
v4l2_ioctl();
video_is_registered() // UAF!!
....
sys_close(fd);
v4l2_release() // UAF!!
hackrf_video_release()
kfree(); // DFB!!
```

When a V4L2 or video device is unregistered, the device node is removed so
new open() calls are blocked.

However, file descriptors that are already open-and any in-flight I/O-do
not terminate immediately; they remain valid until the last reference is
dropped and the driver's release() is invoked.

Therefore, freeing device memory on the error path after hackrf_probe()
has registered dev it will lead to a race to use-after-free vuln, since
those already-open handles haven't been released yet.

And since release() free memory too, race to use-after-free and
double-free vuln occur.

To prevent this, if device is registered from probe(), it should be
modified to free memory only through release() rather than calling
kfree() directly.

🤖 AI Executive Summary

CVE-2026-31576 is a use-after-free vulnerability in the Linux kernel's HackRF media driver that occurs due to improper memory management during device registration. The vulnerability allows local attackers with file descriptor access to trigger UAF and double-free conditions through race conditions between probe error handling and device release operations. With a CVSS score of 7.8, this poses a significant risk for systems running affected kernel versions with HackRF hardware or drivers loaded.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 11:54

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations operating research institutions, telecommunications infrastructure testing labs (STC, Zain, Mobily), and government cybersecurity agencies (NCA) that may utilize HackRF devices for spectrum analysis, signal processing, or security research. The vulnerability could be exploited by local attackers to achieve kernel-level code execution, potentially compromising critical infrastructure monitoring systems. Government entities and telecom operators conducting RF testing or research are at highest risk. The impact is moderate for most enterprise environments unless HackRF drivers are explicitly loaded.

🏢 Affected Saudi Sectors

Government (NCA, NCSC) Telecommunications (STC, Zain, Mobily) Research & Development Cybersecurity Testing Labs Spectrum Management Authorities Defense & Security

🎯 MITRE ATT&CK Techniques

T1068 - Exploitation for Privilege Escalation T1499 - Endpoint Denial of Service T1203 - Exploitation for Client Execution T1547 - Boot or Logon Autostart Execution

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify systems running Linux kernel versions with HackRF driver support

2. Check if HackRF hardware or drivers are actively loaded: lsmod | grep hackrf

3. Restrict local access to HackRF devices using file permissions and SELinux policies



Patching Guidance:

1. Apply the latest Linux kernel patch that resolves the memory management issue in hackrf_probe()

2. Ensure the fix modifies memory deallocation to occur only through release() rather than kfree() on error paths

3. Test patches in non-production environments before deployment

4. Prioritize patching for systems with HackRF hardware attached



Compensating Controls (if immediate patching unavailable):

1. Disable HackRF driver module: modprobe -r hackrf

2. Remove HackRF hardware from systems if not actively required

3. Implement strict access controls to /dev/video* devices

4. Use AppArmor or SELinux to restrict ioctl operations on video devices

5. Monitor for suspicious ioctl calls: auditctl -w /dev/video* -p x -k hackrf_monitor



Detection Rules:

1. Monitor for UAF-related kernel panics in dmesg logs

2. Alert on multiple rapid open/close cycles on /dev/video* devices

3. Track failed ioctl operations on video devices from unprivileged users

4. Monitor kernel memory corruption indicators and KASAN warnings

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد الأنظمة التي تقوم بتشغيل إصدارات نواة Linux مع دعم مشغل HackRF

2. التحقق مما إذا كان جهاز HackRF أو المشغلات محملة بنشاط: lsmod | grep hackrf

3. تقييد الوصول المحلي إلى أجهزة HackRF باستخدام أذونات الملفات وسياسات SELinux

إرشادات التصحيح:

1. تطبيق أحدث تصحيح نواة Linux الذي يحل مشكلة إدارة الذاكرة في hackrf_probe()

2. التأكد من أن الإصلاح يعدل إلغاء تخصيص الذاكرة ليحدث فقط من خلال release() وليس kfree() في مسارات الخطأ

3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر

4. إعطاء الأولوية لتصحيح الأنظمة التي تحتوي على أجهزة HackRF المرفقة

الضوابط البديلة (إذا لم يكن التصحيح الفوري متاحاً):

1. تعطيل وحدة مشغل HackRF: modprobe -r hackrf

2. إزالة أجهزة HackRF من الأنظمة إذا لم تكن مطلوبة بنشاط

3. تنفيذ ضوابط وصول صارمة على أجهزة /dev/video*

4. استخدام AppArmor أو SELinux لتقييد عمليات ioctl على أجهزة الفيديو

5. مراقبة استدعاءات ioctl المريبة: auditctl -w /dev/video* -p x -k hackrf_monitor

قواعد الكشف:

1. مراقبة حالات الذعر في النواة المتعلقة بـ UAF في سجلات dmesg

2. التنبيه على دورات فتح/إغلاق سريعة متعددة على أجهزة /dev/video*

3. تتبع عمليات ioctl الفاشلة على أجهزة الفيديو من المستخدمين غير المميزين

4. مراقبة مؤشرات تلف ذاكرة النواة وتحذيرات KASAN

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Monitoring and logging of access

🔵 SAMA CSF

SAMA CSF ID.BE-5.1 - Cybersecurity risk management processes SAMA CSF PR.DS-6 - Data is protected from unauthorized access SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Monitoring and logging ISO 27001:2022 A.14.2.1 - Secure development policy and procedures ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🔗 References & Sources 6

🔗

https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 5 entries

linux:linux_kernel

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-416

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-04-24

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-416

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-31576

💬 Comments

Introduce Yourself

Sign In Required