CVE-2026-31769

Source
https://cve.org/CVERecord?id=CVE-2026-31769
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31769.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31769
Downstream
Published
2026-05-01T14:14:58.617Z
Modified
2026-07-08T08:06:22.115100095Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
gpib: fix use-after-free in IO ioctl handlers
Details

In the Linux kernel, the following vulnerability has been resolved:

gpib: fix use-after-free in IO ioctl handlers

The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpibdescriptor pointer after board->biggpibmutex has been released. A concurrent IBCLOSEDEV ioctl can free the descriptor via closedev_ioctl() during this window, causing a use-after-free.

The IO handlers (readioctl, writeioctl, commandioctl) explicitly release biggpibmutex before calling their handler. waitioctl() is called with biggpibmutex held, but ibwait() releases it internally when waitmask is non-zero. In all four cases, the descriptor pointer obtained from handleto_descriptor() becomes unprotected.

Fix this by introducing a kernel-only descriptorbusy reference count in struct gpibdescriptor. Each handler atomically increments descriptorbusy under filepriv->descriptorsmutex before releasing the lock, and decrements it when done. closedevioctl() checks descriptorbusy under the same lock and rejects the close with -EBUSY if the count is non-zero.

A reference count rather than a simple flag is necessary because multiple handlers can operate on the same descriptor concurrently (e.g. IBRD and IBWAIT on the same handle from different threads).

A separate counter is needed because ioinprogress can be cleared from unprivileged userspace via the IBWAIT ioctl (through generalibstatus() with setmask containing CMPL), which would allow an attacker to bypass a check based solely on ioinprogress. The new descriptor_busy counter is only modified by the kernel IO paths.

The lock ordering is consistent (biggpibmutex -> descriptorsmutex) and the handlers only hold descriptorsmutex briefly during the lookup, so there is no deadlock risk and no impact on IO throughput.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31769.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9dde4559e93955ccc47d588f7fd051684d55c4e7
Fixed
cae26eff1b56d78bed7873cf3e60a2b1bdd4da6c
Fixed
28c75dd143ead62e0dfac564c79d251e21d5d74b
Fixed
d1857f8296dceb75d00ab857fc3c61bc00c7f5c6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31769.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31769.json"