Linux Kernel up to 6.18.21/6.19.11 gpio gpiochip_add_data_with_key double free

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.5 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Linux Kernel up to 6.18.21/6.19.11 and classified as critical. This affects the function gpiochip_add_data_with_key of the component gpio. Performing a manipulation results in double free.
This vulnerability is known as CVE-2026-31732. No exploit is available.
The affected component should be upgraded.
Details
A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.18.21/6.19.11. This affects the function gpiochip_add_data_with_key of the component gpio. The manipulation with an unknown input leads to a double free vulnerability. CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. This is going to have an impact on availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: gpio: Fix resource leaks on errors in gpiochip_add_data_with_key() Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"), `gdev->dev.release` is unset. As a result, the reference count to `gdev->dev` isn't dropped on the error handling paths. Drop the reference on errors. Also reorder the instructions to make the error handling simpler. Now gpiochip_add_data_with_key() roughly looks like: >>> Some memory allocation. Go to ERR ZONE 1 on errors. >>> device_initialize(). gpiodev_release() takes over the responsibility for freeing the resources of `gdev->dev`. The subsequent error handling paths shouldn't go through ERR ZONE 1 again which leads to double free. >>> Some initialization mainly on `gdev`. >>> The rest of initialization. Go to ERR ZONE 2 on errors. >>> Chip registration success and exit. >>> ERR ZONE 2. gpio_device_put() and exit. >>> ERR ZONE 1.
It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2026-31732 since 03/09/2026. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 07/06/2026).
The vulnerability scanner Nessus provides a plugin with the ID 325146 (Debian dsa-6381 : ata-modules-6.12.90+deb13-armmp-di - security update), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.18.22 or 6.19.12 eliminates this vulnerability. Applying the patch f0cf9c7b7c281956cc0dec163132cd96f76e1d60/fb4584d2b324c522404c733c65840a1a6519ada8/16fdabe143fce2cbf89139677728e17e21b46c28 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (325146) and CERT Bund (WID-SEC-2026-1346). Be aware that VulDB is the high quality source for vulnerability data.
Affected
- Google Container-Optimized OS
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- Open Source Linux Kernel
- RESF Rocky Linux
- Microsoft Azure Linux
- Red Hat OpenShift
Product
Type
Vendor
Name
Version
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
- 6.18.4
- 6.18.5
- 6.18.6
- 6.18.7
- 6.18.8
- 6.18.9
- 6.18.10
- 6.18.11
- 6.18.12
- 6.18.13
- 6.18.14
- 6.18.15
- 6.18.16
- 6.18.17
- 6.18.18
- 6.18.19
- 6.18.20
- 6.18.21
- 6.19.0
- 6.19.1
- 6.19.2
- 6.19.3
- 6.19.4
- 6.19.5
- 6.19.6
- 6.19.7
- 6.19.8
- 6.19.9
- 6.19.10
- 6.19.11
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.6VulDB Meta Temp Score: 5.5
VulDB Base Score: 5.7
VulDB Temp Score: 5.5
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Double freeCWE: CWE-415 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 325146
Nessus Name: Debian dsa-6381 : ata-modules-6.12.90+deb13-armmp-di - security update
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.18.22/6.19.12
Patch: f0cf9c7b7c281956cc0dec163132cd96f76e1d60/fb4584d2b324c522404c733c65840a1a6519ada8/16fdabe143fce2cbf89139677728e17e21b46c28
Timeline
03/09/2026 CVE reserved05/01/2026 Advisory disclosed
05/01/2026 VulDB entry created
07/06/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-31732 (🔒)
GCVE (CVE): GCVE-0-2026-31732
GCVE (VulDB): GCVE-100-360615
CERT Bund: WID-SEC-2026-1346 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 05/01/2026 16:55Updated: 07/06/2026 15:35
Changes: 05/01/2026 16:55 (59), 05/05/2026 08:57 (7), 07/01/2026 04:23 (3), 07/04/2026 14:58 (10), 07/06/2026 15:35 (2)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.