CVE-2026-31745 Overview
CVE-2026-31745 is a double free vulnerability [CWE-415] in the Linux kernel's GPIO-based reset controller subsystem. The flaw resides in reset_add_gpio_aux_device() within the auxiliary device registration path. When __auxiliary_device_add() fails, the function calls auxiliary_device_uninit(adev), which triggers the device release callback reset_gpio_aux_device_release() and frees adev. The error path then calls kfree(adev) again, producing a double free condition. A local authenticated attacker capable of triggering the failure path can corrupt kernel heap state, leading to memory corruption or local privilege escalation.
Critical Impact
Successful exploitation can corrupt kernel memory and enable local privilege escalation on systems running affected Linux kernel versions.
Affected Products
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Linux Kernel mainline builds containing the GPIO reset auxiliary device code
- Distributions packaging the affected upstream kernel snapshots
Discovery Timeline
- 2026-05-01 - CVE-2026-31745 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31745
Vulnerability Analysis
The vulnerability sits in the GPIO reset controller's auxiliary device registration logic. The function reset_add_gpio_aux_device() allocates an auxiliary_device structure, initializes it, and registers it with the kernel auxiliary bus. Registration occurs through __auxiliary_device_add(). When this call fails, the cleanup logic incorrectly frees the same memory twice.
First, the code invokes auxiliary_device_uninit(adev). This call drops the final reference on the device, which triggers the registered release callback reset_gpio_aux_device_release(). The release callback already frees adev via kfree(). The error path then issues another explicit kfree(adev) on the same pointer, creating the double free.
Root Cause
The root cause is incorrect ownership semantics in the error path. Once auxiliary_device_init() succeeds and a release callback is registered, the kernel auxiliary subsystem owns the lifecycle of the structure. Calling auxiliary_device_uninit() transfers responsibility for freeing the object to the release callback. The original code did not account for this ownership transition and freed the structure manually after the subsystem already released it.
Attack Vector
A local attacker with the ability to load kernel modules or trigger GPIO reset auxiliary device registration failures can drive execution into the faulty error path. Repeated triggering of the double free can corrupt the SLUB allocator's freelist, enabling heap layout manipulation. Skilled attackers can convert this into arbitrary kernel write primitives and escalate privileges to root.
The vulnerability requires local access with low privileges and no user interaction. Container escape scenarios and untrusted code execution environments increase exposure.
The vulnerability manifests during failed auxiliary device registration. See the Kernel Git Commit Log for the upstream patch and technical details.
Detection Methods for CVE-2026-31745
Indicators of Compromise
- Kernel oops or panic messages referencing reset_add_gpio_aux_device or reset_gpio_aux_device_release in dmesg or /var/log/kern.log.
- KASAN reports flagging double-free or use-after-free conditions in the auxiliary device subsystem.
- Unexpected SLUB allocator corruption warnings tied to the auxiliary_device slab cache.
Detection Strategies
- Enable CONFIG_KASAN and CONFIG_SLUB_DEBUG on test and staging kernels to surface the double free at runtime.
- Monitor kernel ring buffer output for repeated faults in the GPIO reset driver path.
- Audit loaded kernel versions against the affected 7.0-rcX series and flag hosts running unpatched builds.
Monitoring Recommendations
- Centralize kernel logs and alert on stack traces containing reset_add_gpio_aux_device or auxiliary_device_uninit failures.
- Track unexpected privilege escalations and process lineage anomalies on Linux endpoints running development kernels.
- Correlate kernel crash telemetry with local user activity to identify exploitation attempts.
How to Mitigate CVE-2026-31745
Immediate Actions Required
- Apply the upstream fix from commits 1de465753220 and fbffb8c7c7bb to all affected kernel builds.
- Inventory systems running Linux 7.0-rc1 through 7.0-rc7 and prioritize patching for multi-tenant and developer hosts.
- Restrict the ability of unprivileged users to load kernel modules via modules_disabled or signed-module enforcement.
Patch Information
The Linux kernel maintainers resolved the issue by removing the redundant kfree(adev) call after auxiliary_device_uninit(). The kfree(adev) call is preserved only for the auxiliary_device_init() failure path, where the subsystem has not yet taken ownership. Patches are available in the stable kernel commit 1de4657532 and stable kernel commit fbffb8c7c7.
Workarounds
- Avoid deploying release-candidate 7.0-rcX kernels on production systems until the patched stable release is available.
- Disable or unload the GPIO reset auxiliary driver where the functionality is not required.
- Apply mandatory access controls such as SELinux or AppArmor to limit local users from triggering the vulnerable code path.
# Verify running kernel version and check for affected release candidates
uname -r
# Disable unprivileged module loading until patched
sysctl -w kernel.modules_disabled=1
# Apply distribution kernel update once available
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
