HOMEVULNERABILITIESCVE-2026-31530
HIGH

CVE-2026-31530

Published: April 22, 2026· Updated: Apr 28, 2026

7.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix use after free of parent_port in cxl_detach_ep()

cxl_detach_ep() is called during bottom-up removal when all CXL memory

devices beneath a switch port have been removed. For each port in the

hierarchy it locks both the port and its parent, removes the endpoint,

and if the port is now empty, marks it dead and unregisters the port

by calling delete_switch_port(). There are two places during this work

where the parent_port may be used after freeing:

First, a concurrent detach may have already processed a port by the

time a second worker finds it via bus_find_device(). Without pinning

parent_port, it may already be freed when we discover port->dead and

attempt to unlock the parent_port. In a production kernel that's a

silent memory corruption, with lock debug, it looks like this:

[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())

[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310

[]Call Trace:

[]mutex_unlock+0xd/0x20

[]cxl_detach_ep+0x180/0x400 [cxl_core]

[]devm_action_release+0x10/0x20

[]devres_release_all+0xa8/0xe0

[]device_unbind_cleanup+0xd/0xa0

[]really_probe+0x1a6/0x3e0

Second, delete_switch_port() releases three devm actions registered

against parent_port. The last of those is unregister_port() and it

calls device_unregister() on the child port, which can cascade. If

parent_port is now also empty the device core may unregister and free

it too. So by the time delete_switch_port() returns, parent_port may

be free, and the subsequent device_unlock(&parent_port->dev) operates

on freed memory. The kernel log looks same as above, with a different

offset in cxl_detach_ep().

Both of these issues stem from the absence of a lifetime guarantee

between a child port and its parent port.

Establish a lifetime rule for ports: child ports hold a reference to

their parent device until release. Take the reference when the port

is allocated and drop it when released. This ensures the parent is

valid for the full lifetime of the child and eliminates the use after

free window in cxl_detach_ep().

This is easily reproduced with a reload of cxl_acpi in QEMU with CXL

devices present.

NVD Source

Technical Analysis

CVE-2026-31530 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

Quick Facts

CVE IDCVE-2026-31530
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31530 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.