CVE-2026-31399 Overview
CVE-2026-31399 is a use-after-free vulnerability in the Linux kernel's nvdimm/bus subsystem. The flaw resides in nd_async_device_register(), the function responsible for asynchronous registration of non-volatile memory devices. When device_add() fails during allocation, the device reference count drops to zero before the parent pointer is dereferenced, producing a use-after-free condition. The bug was identified through KASAN (Kernel Address Sanitizer) reporting by a researcher tracked as Dingisoul. The issue regresses a prior fix in commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init"), which intended to keep the parent device alive during asynchronous initialization.
Critical Impact
A use-after-free in kernel memory may lead to denial of service or, under specific allocation conditions, kernel memory corruption affecting NVDIMM-equipped systems.
Affected Products
- Linux kernel — nvdimm/bus subsystem (libnvdimm)
- Multiple stable branches receiving backports per kernel.org commits
- Systems with NVDIMM hardware that invoke nd_async_device_register()
Discovery Timeline
- 2026-04-03 - CVE-2026-31399 published to NVD
- 2026-04-18 - Last updated in NVD database
Technical Details for CVE-2026-31399
Vulnerability Analysis
The nvdimm subsystem registers devices asynchronously to reduce boot and hotplug latency. The function nd_async_device_register() schedules registration work and previously took a reference on the parent device to keep it valid until asynchronous registration completed. The fix in commit b6eae0f61db2 introduced that parent reference but did not account for failure paths inside device_add().
When device_add() fails because of an allocation error, the kernel drops the final reference on the child device. The child structure is freed before the code path attempts to access its parent pointer to release the parent reference. The result is a kernel-mode use-after-free [CWE-416] on memory that previously belonged to the device structure.
The remediation saves a local copy of the parent pointer prior to calling device_add(). The cleanup code then uses the saved pointer to drop the parent reference regardless of the outcome, eliminating the dangling access.
Root Cause
The root cause is an object lifetime mismatch. The parent pointer was accessed through the child device structure after that structure could already be freed. Reference-count ordering during the failure path of device_add() was not preserved by the original fix.
Attack Vector
Triggering the condition requires device_add() to fail during asynchronous NVDIMM registration. Such failures typically result from kernel memory allocation pressure. Local attackers with the ability to register or hotplug NVDIMM devices, or to induce allocation failures, could reach the vulnerable path. Remote exploitation is not indicated by the upstream commit data.
No public proof-of-concept exploit code is referenced in the disclosure. The vulnerability is described as a fix derived from KASAN instrumentation rather than an in-the-wild exploitation report.
Detection Methods for CVE-2026-31399
Indicators of Compromise
- KASAN reports referencing nd_async_device_register or libnvdimm use-after-free conditions in dmesg or kernel logs
- Kernel oops or panic traces involving the nvdimm/bus code path during device registration
- Repeated allocation failures (-ENOMEM) coinciding with NVDIMM device add events
Detection Strategies
- Compare the running kernel version against the fixed commits (2c638259, 6fc36c2a, 84af1985, 9a0fb16b, a226e5b4, a36cf138, a8aec142, e48bf8f1) on kernel.org
- Audit kernel build configurations to confirm whether CONFIG_LIBNVDIMM is enabled on systems with persistent memory hardware
- Review crash collection systems for stack traces originating in drivers/nvdimm/bus.c
Monitoring Recommendations
- Collect and centralize kdump and kmsg output from NVDIMM-capable hosts for retrospective analysis
- Alert on kernel panics and KASAN splats from production fleets via existing observability pipelines
- Track NVDIMM hotplug and registration events to correlate with kernel instability
How to Mitigate CVE-2026-31399
Immediate Actions Required
- Inventory Linux hosts with NVDIMM hardware and identify their running kernel versions
- Apply the stable kernel update containing the upstream fix for nd_async_device_register()
- Reboot affected systems after patch installation to ensure the corrected code path is active
Patch Information
The upstream remediation saves the parent device pointer locally before calling device_add(), so the cleanup logic can drop the parent reference whether registration succeeds or fails. The fix has been backported across multiple stable trees. Refer to the kernel.org commits, including Kernel Commit 2c638259, Kernel Commit 6fc36c2a, Kernel Commit 84af1985, Kernel Commit 9a0fb16b, Kernel Commit a226e5b4, Kernel Commit a36cf138, Kernel Commit a8aec142, and Kernel Commit e48bf8f1.
Workarounds
- Disable the libnvdimm module on hosts that do not require NVDIMM functionality by blacklisting libnvdimm and dependent modules
- Restrict local administrative access to limit who can trigger NVDIMM device registration or hotplug events
- Where patching is delayed, monitor memory pressure to reduce the likelihood of allocation failures that trigger the vulnerable path
# Verify running kernel and check for libnvdimm usage
uname -r
lsmod | grep -E 'libnvdimm|nd_'
# Optionally blacklist libnvdimm where NVDIMM is not required
echo 'blacklist libnvdimm' | sudo tee /etc/modprobe.d/blacklist-libnvdimm.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
