Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Double free in Linux kernel USB ULPI ulpi_register_interface() error path

IdentifiersCVE-2026-31759CWE-415· Double Free

CVE-2026-31759 is a Linux kernel memory-management flaw in the USB ULPI subsystem. The bug is in the error path of ulpi_register_interface() when device_register() fails during ULPI device registration. In that failure case, ulpi_register() calls put_device() on ulpi->dev. That in turn invokes the device release callback ulpi_dev_release(), which drops the OF node reference and frees the ulpi structure. The vulnerable error path in ulpi_register_interface() then also calls kfree(ulpi), resulting in a double free of the same object. The upstream fix removes the redundant free and relies on put_device() and ulpi_dev_release() to perform cleanup.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful trigger causes kernel memory corruption due to a double free in kernel space. Depending on allocator state and reachability of the vulnerable path, this can lead to a kernel crash or other undefined behavior, and may create conditions for local privilege escalation or other compromise of kernel integrity. Available scoring context indicates local exploitation with low privileges and no user interaction.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting local untrusted code execution on affected systems, restricting access to kernel-adjacent device-management interfaces, and minimizing use of affected USB/ULPI-related functionality where operationally feasible. Because this is a kernel double-free in an internal error path, no complete mitigation short of installing a fixed kernel is documented in the provided content.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the upstream fix for CVE-2026-31759. The remediation is to stop freeing ulpi in ulpi_register_interface() after put_device() has already transferred cleanup to ulpi_dev_release(). Vendor advisories indicate fixes have been shipped across multiple SUSE kernel packages, including SLES 12 SP5 LTSS, SLES 15 SP4/SP5/SP6 lines, SLE Micro 5.3/5.4/5.5, and related SAP, HPC, HA, Manager, and openSUSE Leap variants. Reboot after installing the updated kernel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
suse securityNews
Jun 26, 2026
Security update for the Linux Kernel | SUSE Support | SUSE

Linux kernel double-free vulnerability in USB ULPI interface registration error handling.

Read more
bugzilla suseNews
Jun 26, 2026
1264076 - (CVE-2026-31759) VUL-0: CVE-2026-31759: kernel: usb: ulpi: fix double free in ulpi_register_interface() error path

A Linux kernel double-free vulnerability in the USB ULPI subsystem's ulpi_register_interface() error path, where cleanup after device_register() failure could free the same ulpi structure twice.

Read more
suse securityNews
Jun 26, 2026
Security update for the Linux Kernel | SUSE Support | SUSE

A Linux kernel double-free vulnerability in the USB ULPI interface registration error path.

Read more
suse securityNews
Jun 25, 2026
Security update for the Linux Kernel | SUSE Support | SUSE

Linux kernel double-free vulnerability in USB ULPI interface registration error handling.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31759
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31759
MITRE CWE · CWE-415
Double Free
Patch
git.kernel.org/stable/c/01af542392b5d41fd659d487015a71f627accce3
Patch
git.kernel.org/stable/c/272a9b26c336a295e4e209157fed809706c1b1f7
Patch
git.kernel.org/stable/c/2f70ba9dae13a190673cc3f9b4aad52179738f60
Patch
git.kernel.org/stable/c/38c28fe25611099230f0965c925499bfcf46a795
Patch
git.kernel.org/stable/c/8763f8317bb389aded32a32b08f6751cfff657d2
Patch
git.kernel.org/stable/c/a6e5461f076c2ef63159f18e5cdbd30b50f0bc15
Patch
git.kernel.org/stable/c/aaeae6533d77e6ed4def85baec01e2815ebbef61
Patch
git.kernel.org/stable/c/ee248e6e941e4f2e634df2bd43e5f1ef810ab6df