PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31399 Linux CVE debrief

CVE-2026-31399 is a Linux kernel use-after-free in nvdimm/bus asynchronous initialization. According to the supplied record, the bug can occur when device_add() fails during nd_async_device_register(), causing the parent reference handling to reach a freed object. NVD assigns CVSS 7.8 and lists the issue as locally exploitable with high impacts to confidentiality, integrity, and availability.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and operators running kernels that include the affected nvdimm/bus code path should care most. This is especially relevant for environments that track upstream or stable kernel updates closely and for fleets that depend on persistent-memory or NVDIMM-related functionality.

Technical summary

The vulnerability is a CWE-416 use-after-free in the Linux kernel nvdimm/bus asynchronous initialization path. The supplied description says a prior fix correctly held a reference on the parent device while async init was scheduled, but if device_add() fails due to allocation failure, the device reference drops to zero before the parent pointer is accessed. The result is a use-after-free in nd_async_device_register(). NVD identifies affected Linux kernel ranges across multiple stable branches and mainline releases, and the record includes several kernel.org stable patch references.

Defensive priority

High. Patch promptly on any system running an affected Linux kernel, especially if your fleet uses kernels from the impacted version ranges or downstream builds that may have backported the vulnerable code.

Recommended defensive actions

  • Upgrade to a kernel build that includes the official fix or a downstream backport from the referenced stable patches.
  • Check deployed kernel versions against the NVD affected ranges, including the long-term stable branches listed in the record.
  • Prioritize remediation on systems that use or ship the nvdimm subsystem and on fleets that regularly exercise asynchronous device initialization.
  • Track vendor advisories and confirm your distribution's kernel package includes the relevant backport, not just the upstream version number.
  • After patching, verify the running kernel version on hosts rather than relying only on package inventory.

Evidence notes

The assessment is based on the supplied CVE description and the NVD record. The description explicitly states a use-after-free in nd_async_device_register() when device_add() fails, and NVD classifies the weakness as CWE-416 with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. NVD also lists multiple official git.kernel.org stable patch references and affected Linux kernel version ranges.

Official resources

Published by NVD on 2026-04-03 and last modified on 2026-05-20. The NVD record is marked analyzed and includes official kernel.org patch references. No KEV entry is listed in the supplied data.