Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31730

CVE-2026-31730: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31730 is a use-after-free flaw in the Linux Kernel's fastrpc component that can cause a double-free condition. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-31730 Overview

CVE-2026-31730 is a double-free vulnerability in the Linux kernel fastrpc misc driver. The flaw resides in fastrpc_init_create_static_process(), which frees cctx->remote_heap along the err_map error path without clearing the pointer. When fastrpc_rpmsg_remove() later runs, it frees cctx->remote_heap a second time, corrupting kernel heap state. The condition is reachable when the INIT_CREATE_STATIC ioctl encounters its error path and the rpmsg device is subsequently removed or unbound. The issue is tracked under [CWE-415] (Double Free) and affects multiple Linux kernel branches, including 7.0 release candidates.

Critical Impact

A local user with access to the fastrpc device can trigger kernel heap corruption, enabling privilege escalation or denial of service.

Affected Products

  • Linux Kernel (multiple stable branches)
  • Linux Kernel 7.0-rc1 through 7.0-rc6
  • Systems exposing the Qualcomm fastrpc misc driver to userspace

Discovery Timeline

  • 2026-05-01 - CVE-2026-31730 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-31730

Vulnerability Analysis

The fastrpc driver provides userspace access to Qualcomm DSP remote procedure calls through a misc character device. The static-process initialization path allocates a remote heap and assigns it to cctx->remote_heap. When initialization fails after this allocation, the err_map cleanup branch in fastrpc_init_create_static_process() releases the remote heap memory. The function returns without setting cctx->remote_heap to NULL, leaving a dangling pointer in the channel context structure.

The channel context survives beyond the failed ioctl because it is owned by the rpmsg device, not the file descriptor. When the rpmsg device is later removed or unbound, fastrpc_rpmsg_remove() performs its own cleanup and frees cctx->remote_heap again because the pointer is non-NULL. The second free operates on memory that the slab allocator has already returned or reallocated.

Root Cause

The root cause is missing pointer invalidation after error-path deallocation. The cleanup contract between fastrpc_init_create_static_process() and fastrpc_rpmsg_remove() was not enforced consistently, so both functions assume ownership of freeing cctx->remote_heap under different conditions. The fix sets cctx->remote_heap = NULL immediately after the error-path free, ensuring the later cleanup is a no-op.

Attack Vector

Exploitation requires local access and the ability to invoke INIT_CREATE_STATIC ioctl operations against the fastrpc device, then trigger or wait for an rpmsg device removal or unbind event. An attacker who races the failing ioctl with device teardown can corrupt kernel slab metadata, which is a known primitive for arbitrary kernel write and local privilege escalation. No user interaction or network access is required.

// Vulnerability mechanism (prose description, no verified PoC available)
// 1. Userspace opens /dev/fastrpc-* and issues INIT_CREATE_STATIC ioctl.
// 2. fastrpc_init_create_static_process() allocates cctx->remote_heap.
// 3. A subsequent step fails, jumping to err_map.
// 4. err_map frees cctx->remote_heap but leaves the pointer set.
// 5. rpmsg device is removed; fastrpc_rpmsg_remove() frees it again.
// 6. The double-free corrupts the kernel slab freelist.

Detection Methods for CVE-2026-31730

Indicators of Compromise

  • Kernel oops or panic messages referencing fastrpc, remote_heap, or slab corruption (kmalloc-*, BUG: KASAN: double-free).
  • Unexpected rpmsg device unbind or remove events correlated with prior failing INIT_CREATE_STATIC ioctl calls.
  • Process crashes or unexpected privilege transitions on systems with the fastrpc driver loaded.

Detection Strategies

  • Enable KASAN on test and pre-production kernels to surface double-free conditions during fuzzing of the fastrpc ioctl interface.
  • Monitor dmesg and /var/log/kern.log for double-free warnings and slab integrity errors that reference fastrpc symbols.
  • Audit which user accounts and processes hold open file descriptors on /dev/fastrpc-* device nodes.

Monitoring Recommendations

  • Forward kernel logs to a centralized logging platform and alert on KASAN, slab-out-of-bounds, and double free strings.
  • Track installed kernel package versions across the fleet to identify hosts still running unpatched builds.
  • Inspect ioctl telemetry on ARM/Qualcomm-based Linux endpoints where the fastrpc driver is typically present.

How to Mitigate CVE-2026-31730

Immediate Actions Required

  • Apply the upstream stable kernel patches as soon as your distribution publishes updated packages.
  • Restrict access to /dev/fastrpc-* device nodes to trusted users and services using filesystem permissions and udev rules.
  • Unload the fastrpc module on systems that do not require Qualcomm DSP RPC functionality.

Patch Information

The fix clears cctx->remote_heap after freeing it in the error path of fastrpc_init_create_static_process(), preventing fastrpc_rpmsg_remove() from operating on the dangling pointer. Patches are available across stable branches via the following commits: 0bdee41183, 3a164f6409, 4b8e527aca, ba2c83167b, and f67d368d26.

Workarounds

  • Blacklist the fastrpc kernel module on hosts where the Qualcomm DSP interface is not required.
  • Tighten device permissions so only privileged service accounts can issue ioctls against /dev/fastrpc-*.
  • Disable or restrict rpmsg device hot-unbind operations from non-root users to reduce the race window.
bash
# Configuration example: blacklist the fastrpc module and restrict device access
echo 'blacklist fastrpc' | sudo tee /etc/modprobe.d/blacklist-fastrpc.conf
sudo rmmod fastrpc 2>/dev/null || true

# Restrict device node permissions via udev
cat <<'EOF' | sudo tee /etc/udev/rules.d/90-fastrpc.rules
KERNEL=="fastrpc-*", MODE="0600", OWNER="root", GROUP="root"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne