HIGH
reset GPIO DoubleFree
CVE-2026-31745
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: reset: gpio: fix double free in reset_add_gpio_aux_device() error path When __auxiliary_device_add() fails, reset_add_gpio_aux_device() calls auxiliary_device_uninit(adev). The device release callback reset_gpio_aux_device_release() frees adev, but the current error path then calls kfree(adev) again, causing a double free. Keep kfree(adev) for the auxiliary_device_init() failure path, but avoid freeing adev after auxiliary_device_uninit().
02KernelScan AI Analysis
Risk summary
A double-free vulnerability in the kernel's reset GPIO subsystem allows attackers with administrative privileges to corrupt kernel heap metadata during reset controller registration. This can lead to kernel panics and system crashes on devices that use GPIO-based reset controllers.
Vulnerability analysis
The vulnerability exists in reset_add_gpio_aux_device(), which is invoked when a reset controller driver registers a GPIO auxiliary device. When __auxiliary_device_add() fails, the error path calls auxiliary_device_uninit(adev), whose release callback (reset_gpio_aux_device_release()) frees adev. The original code then erroneously calls kfree(adev) again, resulting in a double free of heap memory. Because reset controller registration is a driver-probe operation (e.g., module load or device bind), reaching this code path requires privileged access such as CAP_SYS_MODULE or root-equivalent capabilities. The fix removes the redundant kfree(adev) after auxiliary_device_uninit() while retaining it for the auxiliary_device_init() failure path.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.12 | 1de465753220 |
| mainline | 7.0 | fbffb8c7c7bb |