CVE-2026-31769 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use the kernel GPIB subsystem, especially lab, test, measurement, and industrial environments where local users may have access to GPIB devices.

Technical summary

The kernel description says read_ioctl(), write_ioctl(), and command_ioctl() release board->big_gpib_mutex before invoking the handler, and wait_ioctl() may also drop that lock internally when wait_mask is non-zero. In all four cases, the gpib_descriptor returned by handle_to_descriptor() can become unprotected. A concurrent IBCLOSEDEV ioctl can then free the descriptor via close_dev_ioctl(), creating a use-after-free. The fix introduces a kernel-only descriptor_busy counter in struct gpib_descriptor. Kernel IO paths increment it under file_priv->descriptors_mutex before releasing big_gpib_mutex and decrement it afterward, while close_dev_ioctl() checks the counter under the same lock and returns -EBUSY when the descriptor is busy. The record also notes that io_in_progress alone is insufficient because IBWAIT can clear it from userspace.

Defensive priority

High. The issue is local but low-privileged, has a race-condition trigger, affects kernel memory safety, and is rated CVSS 7.8 HIGH with high C/I/A impact. Prioritize patches on systems that expose the GPIB subsystem or allow untrusted local access.

Recommended defensive actions

• Upgrade to a Linux kernel version that includes the fix, or apply the vendor backport that corresponds to your distribution.
• Treat affected ranges as vulnerable: Linux kernel 6.13 through before 6.18.22, 6.19 through before 6.19.12, and 7.0-rc1 through 7.0-rc6 per NVD.
• Check whether the GPIB subsystem is enabled and whether the affected ioctl paths are reachable on your systems.
• Focus remediation first on shared systems, lab workstations, and industrial or test equipment where local users may interact with GPIB devices.
• Validate your environment against vendor advisories and the referenced kernel patches before scheduling maintenance windows.

Evidence notes

All substantive vulnerability details come from the supplied CVE description and the NVD record. The race condition, affected ioctl paths, descriptor_busy fix, and the note about io_in_progress/IBWAIT are from the CVE text. The version ranges and CVSS vector are from NVD metadata. Patch references are the three official kernel.org stable links included in the source corpus. CVE publishedAt and modifiedAt are used as the disclosure timeline.

Official resources