HOMEVULNERABILITIESCVE-2026-31731
HIGH

CVE-2026-31731

Published: May 1, 2026· Updated: May 8, 2026

7.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Address thermal zone removal races with resume

Since thermal_zone_pm_complete() and thermal_zone_device_resume()

re-initialize the poll_queue delayed work for the given thermal zone,

the cancel_delayed_work_sync() in thermal_zone_device_unregister()

may miss some already running work items and the thermal zone may

be freed prematurely [1].

There are two failing scenarios that both start with

running thermal_pm_notify_complete() right before invoking

thermal_zone_device_unregister() for one of the thermal zones.

In the first scenario, there is a work item already running for

the given thermal zone when thermal_pm_notify_complete() calls

thermal_zone_pm_complete() for that thermal zone and it continues to

run when thermal_zone_device_unregister() starts. Since the poll_queue

delayed work has been re-initialized by thermal_pm_notify_complete(), the

running work item will be missed by the cancel_delayed_work_sync() in

thermal_zone_device_unregister() and if it continues to run past the

freeing of the thermal zone object, a use-after-free will occur.

In the second scenario, thermal_zone_device_resume() queued up by

thermal_pm_notify_complete() runs right after the thermal_zone_exit()

called by thermal_zone_device_unregister() has returned. The poll_queue

delayed work is re-initialized by it before cancel_delayed_work_sync() is

called by thermal_zone_device_unregister(), so it may continue to run

after the freeing of the thermal zone object, which also leads to a

use-after-free.

Address the first failing scenario by ensuring that no thermal work

items will be running when thermal_pm_notify_complete() is called.

For this purpose, first move the cancel_delayed_work() call from

thermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent

new work from entering the workqueue going forward. Next, switch

over to using a dedicated workqueue for thermal events and update

the code in thermal_pm_notify() to flush that workqueue after

thermal_pm_notify_prepare() has returned which will take care of

all leftover thermal work already on the workqueue (that leftover

work would do nothing useful anyway because all of the thermal zones

have been flagged as suspended).

The second failing scenario is addressed by adding a tz->state check

to thermal_zone_device_resume() to prevent it from re-initializing

the poll_queue delayed work if the thermal zone is going away.

Note that the above changes will also facilitate relocating the suspend

and resume of thermal zones closer to the suspend and resume of devices,

respectively.

NVD Source

Technical Analysis

CVE-2026-31731 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

Quick Facts

CVE IDCVE-2026-31731
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31731 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.