CVE-2026-31506 Overview
CVE-2026-31506 is a double free vulnerability in the Linux kernel's bcmasp network driver, specifically affecting the Wake-on-LAN (WoL) interrupt handling. The vulnerability occurs when the wol_irq resource is manually freed despite being allocated with devm_request_irq(), which automatically handles resource cleanup through the device resource management (devres) subsystem. This results in attempting to free the same memory twice, leading to potential memory corruption and system instability.
Critical Impact
Double free vulnerabilities in kernel space can lead to memory corruption, denial of service, and potentially privilege escalation on affected Linux systems using the bcmasp network driver.
Affected Products
- Linux kernel with bcmasp network driver enabled
- Systems using Broadcom ASP (Memory Controller Peripheral) network hardware
- Linux-based devices with Wake-on-LAN functionality utilizing the bcmasp driver
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31506 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31506
Vulnerability Analysis
This vulnerability resides in the bcmasp network driver within the Linux kernel's networking subsystem. The root cause is an improper handling of device-managed resources where the Wake-on-LAN interrupt (wol_irq) is being explicitly freed in cleanup code, despite being originally allocated using devm_request_irq().
The devres (device resource management) subsystem in Linux is designed to automatically track and free device resources when a device is unbound or removed. When a developer allocates a resource using a devm_* function, the kernel automatically handles cleanup. Manually freeing such resources results in a double free condition—the resource is freed once explicitly and then again when devres performs its automatic cleanup.
Root Cause
The vulnerability stems from redundant resource deallocation in the bcmasp driver. When devm_request_irq() is used to request an interrupt, the kernel's devres framework automatically registers a callback to free the interrupt when the associated device is removed. The problematic code path included an explicit call to free wol_irq, which conflicts with the automatic cleanup mechanism. This programming error violates the devres contract and introduces memory safety issues.
Attack Vector
Exploitation of this double free vulnerability would typically require local access to trigger the specific code path that causes the double free condition. The vulnerability could be triggered during driver unload, device removal, or error handling scenarios where the cleanup code is executed. While the attack vector complexity depends on the specific system configuration, successful exploitation could result in:
- Kernel memory corruption
- Denial of service through system crash or panic
- Potential privilege escalation if an attacker can control the freed memory contents
The vulnerability does not appear to have public exploitation code available, and the attack surface is limited to systems actively using the bcmasp network driver with WoL functionality.
Detection Methods for CVE-2026-31506
Indicators of Compromise
- Kernel panic messages referencing bcmasp driver or double free errors
- System logs showing memory corruption warnings in the networking subsystem
- Unexpected system reboots or crashes during network driver operations
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free or double-free in bcmasp module
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in kernel builds to detect memory corruption issues
- Monitor kernel logs (dmesg) for bcmasp driver error messages and memory-related warnings
- Implement runtime integrity monitoring for kernel memory regions
- Deploy endpoint detection solutions capable of monitoring kernel-level anomalies
Monitoring Recommendations
- Configure centralized logging to capture kernel messages related to network driver operations
- Implement alerting for kernel panic events or unexpected system restarts
- Monitor for unusual network driver load/unload patterns that might indicate exploitation attempts
- Enable kernel debugging options in development environments to catch memory management issues early
How to Mitigate CVE-2026-31506
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for CVE-2026-31506
- Review systems inventory to identify devices using the bcmasp network driver
- Consider temporarily disabling Wake-on-LAN functionality if immediate patching is not possible
- Apply kernel updates during the next available maintenance window
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix removes the redundant explicit free of wol_irq, allowing the devres subsystem to properly handle resource cleanup. Multiple kernel git commits address this issue across different kernel branches:
- Kernel Git Commit 121a6ad
- Kernel Git Commit 8a30509
- Kernel Git Commit 9e5f5c0
- Kernel Git Commit cbfa5be
Organizations should apply the appropriate patch based on their current kernel version and distribution.
Workarounds
- Disable the bcmasp network driver if not required for system operation by blacklisting the module
- Disable Wake-on-LAN functionality to reduce the attack surface involving wol_irq
- Use alternative network hardware/drivers if available and the bcmasp driver cannot be immediately patched
- Implement network segmentation to limit exposure of vulnerable systems
# Disable bcmasp driver by blacklisting the module
echo "blacklist bcmasp" >> /etc/modprobe.d/blacklist.conf
# Remove the module if currently loaded (requires root privileges)
modprobe -r bcmasp
# Verify the module is not loaded
lsmod | grep bcmasp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
