{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31759","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.139Z","datePublished":"2026-05-01T14:14:51.895Z","dateUpdated":"2026-05-11T22:15:15.896Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:15:15.896Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix double free in ulpi_register_interface() error path\n\nWhen device_register() fails, ulpi_register() calls put_device() on\nulpi->dev.\n\nThe device release callback ulpi_dev_release() drops the OF node\nreference and frees ulpi, but the current error path in\nulpi_register_interface() then calls kfree(ulpi) again, causing a\ndouble free.\n\nLet put_device() handle the cleanup through ulpi_dev_release() and\navoid freeing ulpi again in ulpi_register_interface()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/common/ulpi.c"],"versions":[{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"2f70ba9dae13a190673cc3f9b4aad52179738f60","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"ee248e6e941e4f2e634df2bd43e5f1ef810ab6df","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"272a9b26c336a295e4e209157fed809706c1b1f7","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"aaeae6533d77e6ed4def85baec01e2815ebbef61","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"8763f8317bb389aded32a32b08f6751cfff657d2","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"38c28fe25611099230f0965c925499bfcf46a795","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"a6e5461f076c2ef63159f18e5cdbd30b50f0bc15","status":"affected","versionType":"git"},{"version":"289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f","lessThan":"01af542392b5d41fd659d487015a71f627accce3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/common/ulpi.c"],"versions":[{"version":"4.2","status":"affected"},{"version":"0","lessThan":"4.2","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.134","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.6.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.12.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.18.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.19.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2f70ba9dae13a190673cc3f9b4aad52179738f60"},{"url":"https://git.kernel.org/stable/c/ee248e6e941e4f2e634df2bd43e5f1ef810ab6df"},{"url":"https://git.kernel.org/stable/c/272a9b26c336a295e4e209157fed809706c1b1f7"},{"url":"https://git.kernel.org/stable/c/aaeae6533d77e6ed4def85baec01e2815ebbef61"},{"url":"https://git.kernel.org/stable/c/8763f8317bb389aded32a32b08f6751cfff657d2"},{"url":"https://git.kernel.org/stable/c/38c28fe25611099230f0965c925499bfcf46a795"},{"url":"https://git.kernel.org/stable/c/a6e5461f076c2ef63159f18e5cdbd30b50f0bc15"},{"url":"https://git.kernel.org/stable/c/01af542392b5d41fd659d487015a71f627accce3"}],"title":"usb: ulpi: fix double free in ulpi_register_interface() error path","x_generator":{"engine":"bippy-1.2.0"}}}}