CVE-2026-31530 (GCVE-0-2026-31530)

Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
Title
cxl/port: Fix use after free of parent_port in cxl_detach_ep()
Summary
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use after free of parent_port in cxl_detach_ep() cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port in the hierarchy it locks both the port and its parent, removes the endpoint, and if the port is now empty, marks it dead and unregisters the port by calling delete_switch_port(). There are two places during this work where the parent_port may be used after freeing: First, a concurrent detach may have already processed a port by the time a second worker finds it via bus_find_device(). Without pinning parent_port, it may already be freed when we discover port->dead and attempt to unlock the parent_port. In a production kernel that's a silent memory corruption, with lock debug, it looks like this: []DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current()) []WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310 []Call Trace: []mutex_unlock+0xd/0x20 []cxl_detach_ep+0x180/0x400 [cxl_core] []devm_action_release+0x10/0x20 []devres_release_all+0xa8/0xe0 []device_unbind_cleanup+0xd/0xa0 []really_probe+0x1a6/0x3e0 Second, delete_switch_port() releases three devm actions registered against parent_port. The last of those is unregister_port() and it calls device_unregister() on the child port, which can cascade. If parent_port is now also empty the device core may unregister and free it too. So by the time delete_switch_port() returns, parent_port may be free, and the subsequent device_unlock(&parent_port->dev) operates on freed memory. The kernel log looks same as above, with a different offset in cxl_detach_ep(). Both of these issues stem from the absence of a lifetime guarantee between a child port and its parent port. Establish a lifetime rule for ports: child ports hold a reference to their parent device until release. Take the reference when the port is allocated and drop it when released. This ensures the parent is valid for the full lifetime of the child and eliminates the use after free window in cxl_detach_ep(). This is easily reproduced with a reload of cxl_acpi in QEMU with CXL devices present.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 2345df54249c6fb7779e2a72b427ee79ed3eaad5 , < d216a4bd138eb57cc4ae7c43b2f709e3482af7e2 (git)
Affected: 2345df54249c6fb7779e2a72b427ee79ed3eaad5 , < 2c32141462045cf93d54a5146a0ba572b83533dd (git)
Affected: 2345df54249c6fb7779e2a72b427ee79ed3eaad5 , < f7dc6f381a1e5f068333f1faa9265d6af1df4235 (git)
Affected: 2345df54249c6fb7779e2a72b427ee79ed3eaad5 , < 19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4 (git)
Create a notification for this product.
    Linux Linux Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.12.80 , ≤ 6.12.* (semver)
Unaffected: 6.18.21 , ≤ 6.18.* (semver)
Unaffected: 6.19.11 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/port.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d216a4bd138eb57cc4ae7c43b2f709e3482af7e2",
              "status": "affected",
              "version": "2345df54249c6fb7779e2a72b427ee79ed3eaad5",
              "versionType": "git"
            },
            {
              "lessThan": "2c32141462045cf93d54a5146a0ba572b83533dd",
              "status": "affected",
              "version": "2345df54249c6fb7779e2a72b427ee79ed3eaad5",
              "versionType": "git"
            },
            {
              "lessThan": "f7dc6f381a1e5f068333f1faa9265d6af1df4235",
              "status": "affected",
              "version": "2345df54249c6fb7779e2a72b427ee79ed3eaad5",
              "versionType": "git"
            },
            {
              "lessThan": "19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4",
              "status": "affected",
              "version": "2345df54249c6fb7779e2a72b427ee79ed3eaad5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/port.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.80",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix use after free of parent_port in cxl_detach_ep()\n\ncxl_detach_ep() is called during bottom-up removal when all CXL memory\ndevices beneath a switch port have been removed. For each port in the\nhierarchy it locks both the port and its parent, removes the endpoint,\nand if the port is now empty, marks it dead and unregisters the port\nby calling delete_switch_port(). There are two places during this work\nwhere the parent_port may be used after freeing:\n\nFirst, a concurrent detach may have already processed a port by the\ntime a second worker finds it via bus_find_device(). Without pinning\nparent_port, it may already be freed when we discover port-\u003edead and\nattempt to unlock the parent_port. In a production kernel that\u0027s a\nsilent memory corruption, with lock debug, it looks like this:\n\n[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())\n[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310\n[]Call Trace:\n[]mutex_unlock+0xd/0x20\n[]cxl_detach_ep+0x180/0x400 [cxl_core]\n[]devm_action_release+0x10/0x20\n[]devres_release_all+0xa8/0xe0\n[]device_unbind_cleanup+0xd/0xa0\n[]really_probe+0x1a6/0x3e0\n\nSecond, delete_switch_port() releases three devm actions registered\nagainst parent_port. The last of those is unregister_port() and it\ncalls device_unregister() on the child port, which can cascade. If\nparent_port is now also empty the device core may unregister and free\nit too. So by the time delete_switch_port() returns, parent_port may\nbe free, and the subsequent device_unlock(\u0026parent_port-\u003edev) operates\non freed memory. The kernel log looks same as above, with a different\noffset in cxl_detach_ep().\n\nBoth of these issues stem from the absence of a lifetime guarantee\nbetween a child port and its parent port.\n\nEstablish a lifetime rule for ports: child ports hold a reference to\ntheir parent device until release. Take the reference when the port\nis allocated and drop it when released. This ensures the parent is\nvalid for the full lifetime of the child and eliminates the use after\nfree window in cxl_detach_ep().\n\nThis is easily reproduced with a reload of cxl_acpi in QEMU with CXL\ndevices present."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-22T13:54:42.563Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d216a4bd138eb57cc4ae7c43b2f709e3482af7e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c32141462045cf93d54a5146a0ba572b83533dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7dc6f381a1e5f068333f1faa9265d6af1df4235"
        },
        {
          "url": "https://git.kernel.org/stable/c/19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4"
        }
      ],
      "title": "cxl/port: Fix use after free of parent_port in cxl_detach_ep()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31530",
    "datePublished": "2026-04-22T13:54:42.563Z",
    "dateReserved": "2026-03-09T15:48:24.112Z",
    "dateUpdated": "2026-04-22T13:54:42.563Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31530",
      "date": "2026-04-24",
      "epss": "0.00018",
      "percentile": "0.04584"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31530\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-22T14:16:53.293\",\"lastModified\":\"2026-04-23T16:17:41.280\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncxl/port: Fix use after free of parent_port in cxl_detach_ep()\\n\\ncxl_detach_ep() is called during bottom-up removal when all CXL memory\\ndevices beneath a switch port have been removed. For each port in the\\nhierarchy it locks both the port and its parent, removes the endpoint,\\nand if the port is now empty, marks it dead and unregisters the port\\nby calling delete_switch_port(). There are two places during this work\\nwhere the parent_port may be used after freeing:\\n\\nFirst, a concurrent detach may have already processed a port by the\\ntime a second worker finds it via bus_find_device(). Without pinning\\nparent_port, it may already be freed when we discover port-\u003edead and\\nattempt to unlock the parent_port. In a production kernel that\u0027s a\\nsilent memory corruption, with lock debug, it looks like this:\\n\\n[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())\\n[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310\\n[]Call Trace:\\n[]mutex_unlock+0xd/0x20\\n[]cxl_detach_ep+0x180/0x400 [cxl_core]\\n[]devm_action_release+0x10/0x20\\n[]devres_release_all+0xa8/0xe0\\n[]device_unbind_cleanup+0xd/0xa0\\n[]really_probe+0x1a6/0x3e0\\n\\nSecond, delete_switch_port() releases three devm actions registered\\nagainst parent_port. The last of those is unregister_port() and it\\ncalls device_unregister() on the child port, which can cascade. If\\nparent_port is now also empty the device core may unregister and free\\nit too. So by the time delete_switch_port() returns, parent_port may\\nbe free, and the subsequent device_unlock(\u0026parent_port-\u003edev) operates\\non freed memory. The kernel log looks same as above, with a different\\noffset in cxl_detach_ep().\\n\\nBoth of these issues stem from the absence of a lifetime guarantee\\nbetween a child port and its parent port.\\n\\nEstablish a lifetime rule for ports: child ports hold a reference to\\ntheir parent device until release. Take the reference when the port\\nis allocated and drop it when released. This ensures the parent is\\nvalid for the full lifetime of the child and eliminates the use after\\nfree window in cxl_detach_ep().\\n\\nThis is easily reproduced with a reload of cxl_acpi in QEMU with CXL\\ndevices present.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2c32141462045cf93d54a5146a0ba572b83533dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d216a4bd138eb57cc4ae7c43b2f709e3482af7e2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f7dc6f381a1e5f068333f1faa9265d6af1df4235\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.