HIGH
media as102 Device UAF
CVE-2026-31578
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.
02KernelScan AI Analysis
Risk summary
An attacker with local access and ability to manipulate USB devices could trigger a use-after-free condition by opening the as102 media device and causing probe failures. This could lead to memory corruption, system crashes, or potentially arbitrary code execution with kernel privileges.
Vulnerability analysis
Summary: Race condition in USB device lifecycle management leading to use-after-free and double-free vulnerabilities in the as102 media USB driver.
Root Cause: The as102_usb_probe() function incorrectly frees the as102_dev_t structure immediately after calling usb_deregister_dev() on error paths, even though file descriptors may still be open. When userspace has an open file descriptor to the device and the probe function fails, the device structure gets freed while the file descriptor remains valid. Later, when userspace closes the file descriptor, the release callback (as102_release() -> as102_usb_release()) attempts to access and free the already-freed structure.
Attack Surface: Local attack surface requiring physical USB access or ability to trigger USB device probe failures. An attacker needs to be able to open the device file and cause probe function failures through USB device manipulation or resource exhaustion.
Fix Mechanism: The fix modifies the error handling path to avoid freeing the device structure after usb_register_dev() has succeeded. Instead of immediately freeing memory on error, it sets the interface data to NULL and returns, allowing the release callback to handle the final cleanup when the last file descriptor is closed. This ensures proper reference counting and prevents premature memory deallocation.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 0d36653a3a82 |
| 5.15 | 5.15.209 | 25d500cf391e |
| 6.1 | 6.1.175 | 07ceb444c8f6 |
| 6.12 | 6.12.83 | 582fbecb3756 |
| 6.18 | 6.18.24 | 09e9206008b8 |
| 6.19 | 6.19.14 | 2eeae47a4386 |
| 6.6 | 6.6.136 | cb8092038e95 |
| 7.0 | 7.0.1 | 7e5aedf6059c |
| mainline | 7.1-rc1 | 8bd29dbe03fc |