CVE-2026-31759

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: ulpi: fix double free in ulpi_register_interface() error path

When device_register() fails, ulpi_register() calls put_device() on ulpi->dev.

The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free.

Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < 2f70ba9dae13a190673cc3f9b4aad52179738f60affected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < ee248e6e941e4f2e634df2bd43e5f1ef810ab6dfaffected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < 272a9b26c336a295e4e209157fed809706c1b1f7affected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < aaeae6533d77e6ed4def85baec01e2815ebbef61affected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < 8763f8317bb389aded32a32b08f6751cfff657d2affected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < 38c28fe25611099230f0965c925499bfcf46a795affected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < a6e5461f076c2ef63159f18e5cdbd30b50f0bc15affected
LinuxLinux289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f < 01af542392b5d41fd659d487015a71f627accce3affected
LinuxLinux4.2affected
LinuxLinux0 < 4.2unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.134 <= 6.6.*unaffected
LinuxLinux6.12.81 <= 6.12.*unaffected
LinuxLinux6.18.22 <= 6.18.*unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References