CVE-2026-31750 Overview
CVE-2026-31750 is a memory leak vulnerability [CWE-401] in the Linux kernel's Comedi subsystem. The flaw resides in the do_cmd_ioctl() function within drivers/comedi/comedi_fops.c. A prior commit, 4e1da516debb ("comedi: Add reference counting for Comedi command handling"), failed to handle an exceptional exit path where runflags is not set. As a result, do_become_nonbusy() does not free the chanlist memory, since it only releases the buffer when runflags is correctly set. The issue was discovered by syzbot through automated kernel fuzzing.
Critical Impact
A local user can repeatedly trigger the vulnerable ioctl path to exhaust kernel memory, leading to denial of service on affected Linux systems.
Affected Products
- Linux Kernel (mainline, vulnerable code path in drivers/comedi/comedi_fops.c)
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Systems exposing the Comedi character device interface to local users
Discovery Timeline
- 2026-05-01 - CVE-2026-31750 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31750
Vulnerability Analysis
The Comedi (Control and Measurement Device Interface) subsystem provides a unified interface for data acquisition hardware on Linux. User-space programs interact with Comedi devices through ioctl calls, including the COMEDI_CMD ioctl handled by do_cmd_ioctl().
When processing a command, __comedi_get_user_chanlist() allocates a kernel buffer to hold the channel list copied from user space. Cleanup of this buffer is normally handled by do_become_nonbusy(), which checks the subdevice runflags to determine whether the channel list should be reclaimed.
The memory leak occurs when do_cmd_ioctl() exits through an error path before runflags is initialized. Because do_become_nonbusy() conditions the free operation on the runflags value, the allocated chanlist is orphaned in kernel memory. Each failed ioctl invocation leaks an additional buffer.
Root Cause
The root cause is incomplete state tracking introduced by commit 4e1da516debb. The reference counting logic added by that commit assumed runflags would always be set on the cleanup path. The exceptional exit case in do_cmd_ioctl() violates this assumption, leaving an allocated buffer with no record that it must be freed. This is a classic missing-release-of-resource bug categorized under [CWE-401].
Attack Vector
Exploitation requires local access and the ability to open a Comedi device file, typically /dev/comediN. An attacker issues malformed COMEDI_CMD ioctl calls that trigger the early failure path in do_cmd_ioctl(). Repeated invocations progressively exhaust kernel memory, degrading system performance and ultimately causing denial of service. The vulnerability does not provide code execution or data disclosure.
The vulnerability is described in prose because no public proof-of-concept code is available. Refer to the upstream commits at Kernel Git Commit 29f644f1 and Kernel Git Commit 830c848a for the technical fix.
Detection Methods for CVE-2026-31750
Indicators of Compromise
- Steadily increasing kernel slab allocations attributable to Comedi-related kmalloc sites without corresponding frees.
- Repeated COMEDI_CMD ioctl failures originating from a single unprivileged process.
- Unexplained growth in Slab and SUnreclaim values reported in /proc/meminfo on hosts running Comedi drivers.
Detection Strategies
- Audit kernel memory usage with slabtop and kmemleak to identify leaked allocations originating from __comedi_get_user_chanlist.
- Enable CONFIG_DEBUG_KMEMLEAK on test systems to capture stack traces matching the syzbot-reported backtrace in drivers/comedi/comedi_fops.c:1815.
- Monitor process-level ioctl activity against /dev/comedi* devices using auditd rules to flag abnormal call rates.
Monitoring Recommendations
- Track kernel memory consumption trends and alert on sustained growth correlated with Comedi device access.
- Log access to Comedi character devices and review which user accounts hold open file descriptors.
- Correlate dmesg output for Comedi error messages with system memory pressure events.
How to Mitigate CVE-2026-31750
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in commits 29f644f1 and 830c848a once distribution updates become available.
- Restrict access to Comedi device files by ensuring /dev/comedi* permissions limit access to trusted users and groups only.
- If Comedi is not required, unload the comedi kernel module and blacklist it to prevent loading.
Patch Information
The fix adds a check in do_become_nonbusy() that frees the chanlist buffer when runflags is not set, ensuring the allocation is reclaimed on every exit path from do_cmd_ioctl(). The patches are available at Kernel Git Commit 29f644f1 and Kernel Git Commit 830c848a.
Workarounds
- Blacklist the comedi module on systems that do not use data acquisition hardware by adding blacklist comedi to /etc/modprobe.d/.
- Tighten device node permissions so only specific service accounts can issue ioctls against Comedi devices.
- Apply per-user memory cgroup limits to bound the impact of any kernel memory leak triggered from user space.
# Configuration example: prevent the comedi module from loading
echo "blacklist comedi" | sudo tee /etc/modprobe.d/disable-comedi.conf
sudo rmmod comedi 2>/dev/null || true
# Restrict access to any existing comedi device nodes
sudo chown root:root /dev/comedi* 2>/dev/null
sudo chmod 600 /dev/comedi* 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
