CVE-2026-31487: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31487 Overview

CVE-2026-31487 is a use-after-free (UAF) vulnerability in the Linux kernel's Serial Peripheral Interface (SPI) subsystem. The flaw stems from improper locking when accessing the driver_override field during driver probing. When a driver is probed through __driver_attach(), the bus match() callback executes without holding the device lock, allowing concurrent access to driver_override and creating a race condition that leads to memory corruption [CWE-667].

A local authenticated attacker can trigger this condition to cause kernel memory corruption resulting in denial of service. The vulnerability affects the Linux kernel SPI driver infrastructure and has been resolved by switching to the generic driver_override infrastructure provided by the driver core.

Critical Impact

Local attackers with low privileges can trigger a use-after-free in the kernel SPI subsystem, causing system crashes and high-impact availability loss.

Affected Products

• Linux Kernel 4.20
• Linux Kernel 7.0 release candidates (rc1 through rc7)
• Linux Linux Kernel (multiple stable branches per upstream advisory)

Discovery Timeline

• 2026-04-22 - CVE-2026-31487 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-31487

Vulnerability Analysis

The vulnerability resides in the Linux kernel SPI bus implementation. The SPI subsystem implemented its own driver_override handling rather than using the generic driver-core infrastructure. The driver_override field allows administrators to force a specific driver binding to a device through sysfs.

When __driver_attach() walks the bus device list and invokes the bus match() callback, the device lock is intentionally not held. The SPI implementation accessed driver_override inside its match() handler without taking any synchronization primitive. A concurrent write to the sysfs driver_override attribute could free the string while the match callback was dereferencing it, producing a classic use-after-free.

The fix migrates SPI to the driver-core's driver_override helpers, which acquire the correct internal locks when reading and writing the field. The patch preserves SPI's existing sysfs output behavior, which emits an empty string rather than (null) when no override is set.

Root Cause

The root cause is improper locking around a shared mutable string pointer [CWE-667]. The SPI bus stored driver_override as a heap-allocated string that could be replaced through sysfs at any time. The custom store/show handlers did not coordinate with readers in match(), and __driver_attach() deliberately drops the device lock before calling match(), leaving the field unprotected.

Attack Vector

Exploitation requires local access with permission to write to the SPI device's driver_override sysfs attribute, typically restricted to root or privileged users on most distributions. An attacker writes new override strings in rapid succession while triggering driver attach operations. Winning the race causes the match() callback to read freed memory, corrupting the kernel allocator state and crashing the system.

The vulnerability does not provide a direct path to code execution or information disclosure based on the CVSS impact metrics, but the resulting kernel oops produces an availability impact.

No verified public proof-of-concept exploit is available. The vulnerability mechanism is described in the upstream commit messages referenced in the Kernel Patch Commit eedf220.

Detection Methods for CVE-2026-31487

Indicators of Compromise

• Kernel oops or panic messages referencing spi_match_device, __driver_attach, or driver_override in dmesg or /var/log/kern.log.
• KASAN (Kernel Address Sanitizer) reports flagging use-after-free in the SPI bus match path on instrumented kernels.
• Unexpected SPI device rebinding events recorded in udev or systemd journal entries.

Detection Strategies

• Audit kernel package versions across Linux fleets and compare against the fixed commits c73a586, cc34d77, e0ae367, and eedf220.
• Monitor /sys/bus/spi/devices/*/driver_override write activity through Linux audit rules to flag unusual override changes.
• Correlate kernel crash telemetry with concurrent sysfs writes against SPI device attributes.

Monitoring Recommendations

• Enable kernel crash dump collection (kdump) on systems that interact with SPI hardware to capture forensic evidence of triggered UAF conditions.
• Track privileged process writes to /sys/bus/spi/ paths through auditd rules covering path=/sys/bus/spi -p wa.
• Alert on repeated SPI driver bind/unbind cycles within short time windows, which can indicate race-condition probing.

How to Mitigate CVE-2026-31487

Immediate Actions Required

• Apply the upstream kernel patches from the stable trees referenced in the vendor advisories before deploying SPI-enabled hardware in multi-tenant environments.
• Restrict write permissions on /sys/bus/spi/devices/*/driver_override to trusted administrators only.
• Schedule reboots after kernel package updates so the patched SPI subsystem is loaded.

Patch Information

The vulnerability is fixed across multiple stable branches by the following commits: Kernel Patch Commit c73a586, Kernel Patch Commit cc34d77, Kernel Patch Commit e0ae367, and Kernel Patch Commit eedf220. Update to a kernel version that includes one of these commits through your distribution's package manager.

Workarounds

• Limit local user accounts on systems that expose SPI devices, since the attack requires local low-privilege access.
• Use mandatory access control policies (SELinux, AppArmor) to deny non-root write access to SPI sysfs attributes.
• On systems that do not require SPI userspace control, blacklist the spidev module to reduce the attack surface.

# Verify the running kernel includes the fix
uname -r

# Restrict write access to SPI driver_override attributes
find /sys/bus/spi/devices -name driver_override -exec chmod 600 {} \;

# Add an auditd rule to monitor driver_override writes
auditctl -w /sys/bus/spi -p wa -k spi_override_monitor