{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31582", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.119Z", "datePublished": "2026-04-24T14:42:12.257Z", "dateUpdated": "2026-05-11T22:11:34.784Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:34.784Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (powerz) Fix use-after-free on USB disconnect\n\nAfter powerz_disconnect() frees the URB and releases the mutex, a\nsubsequent powerz_read() call can acquire the mutex and call\npowerz_read_data(), which dereferences the freed URB pointer.\n\nFix by:\n - Setting priv->urb to NULL in powerz_disconnect() so that\n powerz_read_data() can detect the disconnected state.\n - Adding a !priv->urb check at the start of powerz_read_data()\n to return -ENODEV on a disconnected device.\n - Moving usb_set_intfdata() before hwmon registration so the\n disconnect handler can always find the priv pointer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hwmon/powerz.c"], "versions": [{"version": "4381a36abdf1c5c0323c1c51f869dc000115eb20", "lessThan": "c78e1d4e48f23792adaa7c94251e22b0d9700a39", "status": "affected", "versionType": "git"}, {"version": "4381a36abdf1c5c0323c1c51f869dc000115eb20", "lessThan": "9e1b798257f96d2e2a2639830eb71add545ce749", "status": "affected", "versionType": "git"}, {"version": "4381a36abdf1c5c0323c1c51f869dc000115eb20", "lessThan": "7003ae4810ca83f0ddca85b768500e313c4b998c", "status": "affected", "versionType": "git"}, {"version": "4381a36abdf1c5c0323c1c51f869dc000115eb20", "lessThan": "61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4", "status": "affected", "versionType": "git"}, {"version": "4381a36abdf1c5c0323c1c51f869dc000115eb20", "lessThan": "08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hwmon/powerz.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c78e1d4e48f23792adaa7c94251e22b0d9700a39"}, {"url": "https://git.kernel.org/stable/c/9e1b798257f96d2e2a2639830eb71add545ce749"}, {"url": "https://git.kernel.org/stable/c/7003ae4810ca83f0ddca85b768500e313c4b998c"}, {"url": "https://git.kernel.org/stable/c/61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4"}, {"url": "https://git.kernel.org/stable/c/08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4"}], "title": "hwmon: (powerz) Fix use-after-free on USB disconnect", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F48A7A3-A02D-414E-944C-F8E2615861D4", "versionEndExcluding": "6.12.83", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (powerz) Fix use-after-free on USB disconnect\n\nAfter powerz_disconnect() frees the URB and releases the mutex, a\nsubsequent powerz_read() call can acquire the mutex and call\npowerz_read_data(), which dereferences the freed URB pointer.\n\nFix by:\n - Setting priv->urb to NULL in powerz_disconnect() so that\n powerz_read_data() can detect the disconnected state.\n - Adding a !priv->urb check at the start of powerz_read_data()\n to return -ENODEV on a disconnected device.\n - Moving usb_set_intfdata() before hwmon registration so the\n disconnect handler can always find the priv pointer."}], "id": "CVE-2026-31582", "lastModified": "2026-04-27T20:26:58.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:32.903", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7003ae4810ca83f0ddca85b768500e313c4b998c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e1b798257f96d2e2a2639830eb71add545ce749"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c78e1d4e48f23792adaa7c94251e22b0d9700a39"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: hwmon: (powerz) Fix use-after-free on USB disconnect", "id": "2461538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461538"}, "csaw": false, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's hwmon subsystem. A local attacker, by disconnecting a USB device, could trigger a use-after-free vulnerability in the powerz driver. This occurs when the driver attempts to access a Universal Serial Bus Request Block (URB) after it has been freed during the disconnect process. This flaw can lead to system instability or a denial of service (DoS)."], "name": "CVE-2026-31582", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31582\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31582\nhttps://lore.kernel.org/linux-cve-announce/2026042412-CVE-2026-31582-cf91@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4381a36abdf1c5c0323c1c51f869dc000115eb20,c78e1d4e48f23792adaa7c94251e22b0d9700a39)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4381a36abdf1c5c0323c1c51f869dc000115eb20,9e1b798257f96d2e2a2639830eb71add545ce749)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4381a36abdf1c5c0323c1c51f869dc000115eb20,7003ae4810ca83f0ddca85b768500e313c4b998c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4381a36abdf1c5c0323c1c51f869dc000115eb20,61f2aa23b0ce8d7aa5071ed25a7471e246a4fdd4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4381a36abdf1c5c0323c1c51f869dc000115eb20,08e57f5e1a9067d5fbf33993aa7f51d60b3d13a4)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,8.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:44:18.975911+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch that nulls the URB pointer on powerz disconnect.", "If an upgrade is not immediately possible, unbind or remove the powerz hwmon device from the system to eliminate the vulnerable code paths, or ensure that no authorized USB devices remain connected that could trigger the bug.", "If the system must continue to use the powerz driver, unload the module with 'modprobe -r powerz' or otherwise disable the driver until a patch can be applied."], "summary": {"action": "Patch Now", "impact": "Kernel crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "All versions of the Linux kernel that include the powerz hwmon driver and have not yet applied the fix that clears the URB pointer on disconnect are affected. The product is the Linux kernel; the vendor is Linux and the product identifier is Linux:Linux. Specific affected releases are those that do not contain the commit sequence referenced in the advisory links.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free in the powerz hwmon driver that occurs when a USB device is disconnected while the driver still holds a reference to the freed URB structure. A subsequent read operation dereferences the stale pointer, which can trigger a kernel crash. The weakness corresponds to CWE\u2011416 and CWE\u2011825, reflecting a use\u2011after\u2011free and a null pointer dereference.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity impact if successfully exploited. The EPSS score is less than 1%, suggesting that exploitation events are rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attacker would need to cause a USB device to disconnect and then trigger a read operation. This attack vector is inferred from the stated conditions and requires the attacker to control the device or the environment to induce the disconnect. While not explicitly documented as feasible, it is considered difficult but not impossible to exploit under the right circumstances."}}}}, "created": "2026-04-27T19:00:15.707789+00:00", "updated": "2026-04-28T23:45:16.062573+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}