Linux Kernel up to 6.12.82/6.18.21/6.19.11 thermal thermal_zone_pm_complete use after free

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $5k-$25k | 0.00 |
Summary
A vulnerability was found in Linux Kernel up to 6.12.82/6.18.21/6.19.11. It has been classified as critical. This affects the function thermal_zone_pm_complete of the component thermal. The manipulation leads to use after free.
This vulnerability is traded as CVE-2026-31731. There is no exploit available.
Upgrading the affected component is recommended.
Details
A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.12.82/6.18.21/6.19.11. This issue affects the function thermal_zone_pm_complete of the component thermal. The manipulation with an unknown input leads to a use after free vulnerability. Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: thermal: core: Address thermal zone removal races with resume Since thermal_zone_pm_complete() and thermal_zone_device_resume() re-initialize the poll_queue delayed work for the given thermal zone, the cancel_delayed_work_sync() in thermal_zone_device_unregister() may miss some already running work items and the thermal zone may be freed prematurely [1]. There are two failing scenarios that both start with running thermal_pm_notify_complete() right before invoking thermal_zone_device_unregister() for one of the thermal zones. In the first scenario, there is a work item already running for the given thermal zone when thermal_pm_notify_complete() calls thermal_zone_pm_complete() for that thermal zone and it continues to run when thermal_zone_device_unregister() starts. Since the poll_queue delayed work has been re-initialized by thermal_pm_notify_complete(), the running work item will be missed by the cancel_delayed_work_sync() in thermal_zone_device_unregister() and if it continues to run past the freeing of the thermal zone object, a use-after-free will occur. In the second scenario, thermal_zone_device_resume() queued up by thermal_pm_notify_complete() runs right after the thermal_zone_exit() called by thermal_zone_device_unregister() has returned. The poll_queue delayed work is re-initialized by it before cancel_delayed_work_sync() is called by thermal_zone_device_unregister(), so it may continue to run after the freeing of the thermal zone object, which also leads to a use-after-free. Address the first failing scenario by ensuring that no thermal work items will be running when thermal_pm_notify_complete() is called. For this purpose, first move the cancel_delayed_work() call from thermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent new work from entering the workqueue going forward. Next, switch over to using a dedicated workqueue for thermal events and update the code in thermal_pm_notify() to flush that workqueue after thermal_pm_notify_prepare() has returned which will take care of all leftover thermal work already on the workqueue (that leftover work would do nothing useful anyway because all of the thermal zones have been flagged as suspended). The second failing scenario is addressed by adding a tz->state check to thermal_zone_device_resume() to prevent it from re-initializing the poll_queue delayed work if the thermal zone is going away. Note that the above changes will also facilitate relocating the suspend and resume of thermal zones closer to the suspend and resume of devices, respectively.
It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2026-31731 since 03/09/2026. The exploitation is known to be easy. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 07/01/2026).
The vulnerability scanner Nessus provides a plugin with the ID 316948 (Amazon Linux 2023 : bpftool6.18, kernel6.18, kernel6.18-devel (ALAS2023-2026-1746)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.12.83, 6.18.22 or 6.19.12 eliminates this vulnerability. Applying the patch 1a6d2b001eb730d85f00da39ae7db6f3b4edc540/2dbe93f344f10b432b95a23304006be805c097a1/c4593f1654f7dea3bcf9bb1851ded86311d4f370/45b859b0728267a6199ee5002d62e6c6f3e8c89d is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (316948) and CERT Bund (WID-SEC-2026-1346). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Affected
- Google Container-Optimized OS
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- Open Source Linux Kernel
- RESF Rocky Linux
- Microsoft Azure Linux
- Red Hat OpenShift
Product
Type
Vendor
Name
Version
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.12.26
- 6.12.27
- 6.12.28
- 6.12.29
- 6.12.30
- 6.12.31
- 6.12.32
- 6.12.33
- 6.12.34
- 6.12.35
- 6.12.36
- 6.12.37
- 6.12.38
- 6.12.39
- 6.12.40
- 6.12.41
- 6.12.42
- 6.12.43
- 6.12.44
- 6.12.45
- 6.12.46
- 6.12.47
- 6.12.48
- 6.12.49
- 6.12.50
- 6.12.51
- 6.12.52
- 6.12.53
- 6.12.54
- 6.12.55
- 6.12.56
- 6.12.57
- 6.12.58
- 6.12.59
- 6.12.60
- 6.12.61
- 6.12.62
- 6.12.63
- 6.12.64
- 6.12.65
- 6.12.66
- 6.12.67
- 6.12.68
- 6.12.69
- 6.12.70
- 6.12.71
- 6.12.72
- 6.12.73
- 6.12.74
- 6.12.75
- 6.12.76
- 6.12.77
- 6.12.78
- 6.12.79
- 6.12.80
- 6.12.81
- 6.12.82
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
- 6.18.4
- 6.18.5
- 6.18.6
- 6.18.7
- 6.18.8
- 6.18.9
- 6.18.10
- 6.18.11
- 6.18.12
- 6.18.13
- 6.18.14
- 6.18.15
- 6.18.16
- 6.18.17
- 6.18.18
- 6.18.19
- 6.18.20
- 6.18.21
- 6.19.0
- 6.19.1
- 6.19.2
- 6.19.3
- 6.19.4
- 6.19.5
- 6.19.6
- 6.19.7
- 6.19.8
- 6.19.9
- 6.19.10
- 6.19.11
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.6
VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Use after freeCWE: CWE-416 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 316948
Nessus Name: Amazon Linux 2023 : bpftool6.18, kernel6.18, kernel6.18-devel (ALAS2023-2026-1746)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.12.83/6.18.22/6.19.12
Patch: 1a6d2b001eb730d85f00da39ae7db6f3b4edc540/2dbe93f344f10b432b95a23304006be805c097a1/c4593f1654f7dea3bcf9bb1851ded86311d4f370/45b859b0728267a6199ee5002d62e6c6f3e8c89d
Timeline
03/09/2026 CVE reserved05/01/2026 Advisory disclosed
05/01/2026 VulDB entry created
07/01/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-31731 (🔒)
GCVE (CVE): GCVE-0-2026-31731
GCVE (VulDB): GCVE-100-360659
CERT Bund: WID-SEC-2026-1346 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 05/01/2026 17:50Updated: 07/01/2026 04:23
Changes: 05/01/2026 17:50 (59), 05/05/2026 08:57 (7), 05/28/2026 05:51 (2), 07/01/2026 04:23 (3)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.