HIGH
platform DriverOverride UAF
CVE-2026-31527
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]
02KernelScan AI Analysis
Risk summary
A local attacker with sufficient privileges to modify platform device sysfs attributes could potentially trigger a use-after-free condition during device driver binding, potentially leading to kernel memory corruption and privilege escalation.
Vulnerability analysis
Root Cause: The platform bus driver's match() callback accesses the driver_override field without proper locking during device probing via __driver_attach(). Since the device lock is intentionally not held during match() calls, concurrent access to driver_override can result in use-after-free conditions when the field is being modified or freed by another thread.
Attack Surface: Local attack surface requiring the ability to manipulate sysfs attributes (/sys/bus/platform/devices/*/driver_override) and trigger device probing operations. The vulnerability is exposed through the platform device subsystem during driver binding operations.
Fix Mechanism: The patch migrates from a custom driver_override implementation to the generic driver-core infrastructure that handles proper locking internally. It removes the platform-specific driver_override field from struct platform_device and replaces direct field access with device_match_driver_override() and device_set_driver_override() functions that provide thread-safe access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.80 | 9a6086d2a828 |
| 6.18 | 6.18.21 | 7c02a9bd7d14 |
| 6.19 | 6.19.11 | edee7ee5a14c |
| 6.6 | 6.6.142 | 492349e5e4a3 |
| mainline | 7.0 | 2b38efc05bf7 |