Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31769— gpib: fix use-after-free in IO ioctl handlers

CVSS 7.8 · High EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31769

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
gpib: fix use-after-free in IO ioctl handlers
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: gpib: fix use-after-free in IO ioctl handlers The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor pointer after board->big_gpib_mutex has been released. A concurrent IBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() during this window, causing a use-after-free. The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly release big_gpib_mutex before calling their handler. wait_ioctl() is called with big_gpib_mutex held, but ibwait() releases it internally when wait_mask is non-zero. In all four cases, the descriptor pointer obtained from handle_to_descriptor() becomes unprotected. Fix this by introducing a kernel-only descriptor_busy reference count in struct gpib_descriptor. Each handler atomically increments descriptor_busy under file_priv->descriptors_mutex before releasing the lock, and decrements it when done. close_dev_ioctl() checks descriptor_busy under the same lock and rejects the close with -EBUSY if the count is non-zero. A reference count rather than a simple flag is necessary because multiple handlers can operate on the same descriptor concurrently (e.g. IBRD and IBWAIT on the same handle from different threads). A separate counter is needed because io_in_progress can be cleared from unprivileged userspace via the IBWAIT ioctl (through general_ibstatus() with set_mask containing CMPL), which would allow an attacker to bypass a check based solely on io_in_progress. The new descriptor_busy counter is only modified by the kernel IO paths. The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex) and the handlers only hold descriptors_mutex briefly during the lookup, so there is no deadlock risk and no impact on IO throughput.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于gpib驱动在IO ioctl处理程序中释放锁后使用gpib_descriptor指针,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 9dde4559e93955ccc47d588f7fd051684d55c4e7 ~ cae26eff1b56d78bed7873cf3e60a2b1bdd4da6c -
LinuxLinux 6.13 -

II. Public POCs for CVE-2026-31769

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31769

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-05-01 · 146 CVEs total

CVE-2026-430379.8 CRITICALip6_tunnel: clear skb2->cb[] in ip4ip6_err()
CVE-2026-430119.8 CRITICALnet/x25: Fix potential double free of skb
CVE-2026-317059.8 CRITICALksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
CVE-2026-430389.8 CRITICALipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
CVE-2026-430399.8 CRITICALnet: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch
CVE-2026-317189.8 CRITICALksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
CVE-2026-317738.8 HIGHBluetooth: SMP: derive legacy responder STK authentication from MITM state
CVE-2026-430188.8 HIGHBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
CVE-2026-317068.8 HIGHksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
CVE-2026-317398.8 HIGHcrypto: tegra - Add missing CRYPTO_ALG_ASYNC
CVE-2026-317098.8 HIGHsmb: client: validate the whole DACL before rewriting it in cifsacl
CVE-2026-430488.8 HIGHHID: core: Mitigate potential OOB by removing bogus memset()
CVE-2026-317178.8 HIGHksmbd: validate owner of durable handle on reconnect
CVE-2026-317358.8 HIGHiommupt: Fix short gather if the unmap goes into a large mapping
CVE-2026-317128.3 HIGHksmbd: require minimum ACE size in smb_check_perm_dacl()
CVE-2026-317718.1 HIGHBluetooth: hci_event: move wake reason storage into validated event handlers
CVE-2026-317798.1 HIGHwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
CVE-2026-430518.1 HIGHHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
CVE-2026-317088.1 HIGHsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
CVE-2026-430567.8 HIGHnet: mana: fix use-after-free in add_adev() error path

Showing top 20 of 146 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31769

No comments yet

Leave a comment