HIGH
fastrpc RemoteHeap DoubleFree
CVE-2026-31730
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: possible double-free of cctx->remote_heap fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap again if it is non-NULL, which can lead to a double-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg device is subsequently removed/unbound. Clear cctx->remote_heap after freeing it in the error path to prevent the later cleanup from freeing it again. This issue was found by an in-house analysis workflow that extracts AST-based information and runs static checks, with LLM assistance for triage, and was confirmed by manual code review. No hardware testing was performed.
02KernelScan AI Analysis
Risk summary
Local users with access to the fastrpc device can trigger a kernel double-free by causing the INIT_CREATE_STATIC ioctl to fail and then unbinding the rpmsg device. This leads to kernel memory corruption and system crash, affecting Qualcomm SoC-based devices that use the fastrpc driver for DSP communication.
Vulnerability analysis
The vulnerability occurs in fastrpc_init_create_static_process() where cctx->remote_heap is freed on the error path but the pointer is not cleared to NULL. Later, when fastrpc_rpmsg_remove() executes during device removal, it checks if cctx->remote_heap is non-NULL and frees it again, causing a double-free. The fix adds a single line to set the pointer to NULL after freeing, preventing the second free operation. This affects the fastrpc driver used for communication with Qualcomm DSPs and requires local access with permissions to open the fastrpc device file.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.81 | 0bdee4118340 |
| 6.18 | 6.18.22 | 3a164f640953 |
| 6.19 | 6.19.12 | f67d368d2676 |
| 6.6 | 6.6.134 | 4b8e527aca35 |
| mainline | 7.0 | ba2c83167b21 |