HIGH
usb ULPI DoubleFree
CVE-2026-31759
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix double free in ulpi_register_interface() error path When device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free. Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface().
02KernelScan AI Analysis
Risk summary
Attackers with physical access to the device PCB can trigger a double-free vulnerability in the USB ULPI interface registration error path. This corrupts the kernel heap allocator and leads to a kernel panic, resulting in denial of service. The bug is reachable through the on-board ULPI interface used by USB 2.0 PHYs.
Vulnerability analysis
The vulnerability exists in ulpi_register_interface(). When device_register() fails, ulpi_register() calls put_device(), which invokes the ulpi_dev_release() callback to free the ulpi structure. The error path in ulpi_register_interface() then incorrectly calls kfree(ulpi) a second time, causing a double free. The fix removes the redundant kfree() so that put_device() alone handles cleanup. Because this is a heap corruption bug in the USB subsystem, it is reachable via the physical USB attack surface (on-board ULPI) and can corrupt the slab allocator freelist, with a direct availability impact from kernel panic.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 2f70ba9dae13 |
| 5.15 | 5.15.203 | ee248e6e941e |
| 6.1 | 6.1.168 | 272a9b26c336 |
| 6.12 | 6.12.81 | 8763f8317bb3 |
| 6.18 | 6.18.22 | 38c28fe25611 |
| 6.19 | 6.19.12 | a6e5461f076c |
| 6.6 | 6.6.134 | aaeae6533d77 |
| mainline | 7.0 | 01af542392b5 |