HIGH
nvdimm AsyncInit UAF
CVE-2026-31399
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free. The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add().
02KernelScan AI Analysis
Risk summary
Systems with NVDIMM hardware are vulnerable to a use-after-free in the asynchronous device registration path. A privileged local attacker (root) can trigger memory allocation failures during NVDIMM device registration— for example by reloading the driver or managing namespaces under memory pressure— leading to a use-after-free. This can result in information disclosure, kernel memory corruption, or kernel crashes.
Vulnerability analysis
The root cause is accessing dev->parent after the device reference count drops to zero when device_add() fails in nd_async_device_register(). If device_add() fails, the first put_device() frees the device structure; the second put_device() and subsequent dev->parent access then operate on freed memory. The fix saves the parent pointer before device_add() so the parent reference can be dropped safely regardless of the outcome.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.10 | 4.10 | a36cf138500e |
| 4.15 | 4.15 | 9a0fb16ba5b3 |
| 4.19 | 4.19 | e48bf8f1d2b1 |
| 4.20 | 4.20 | 2c638259ad75 |
| 4.5 | 4.5 | 6fc36c2a925c |
| 5.10 | 5.10.253 | a226e5b49e5f |
| 5.15 | 5.15.203 | 84af19855d1a |
| 6.1 | 6.1.167 | a8aec1423032 |
| 6.12 | 6.12.78 | — |
| 6.18 | 6.18.20 | — |
| 6.19 | 6.19.10 | — |
| 6.6 | 6.6.130 | — |
| mainline | 7.0 | — |