{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31730", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.135Z", "datePublished": "2026-05-01T14:14:29.522Z", "dateUpdated": "2026-05-01T14:14:29.522Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-01T14:14:29.522Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: possible double-free of cctx->remote_heap\n\nfastrpc_init_create_static_process() may free cctx->remote_heap on the\nerr_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()\nfrees cctx->remote_heap again if it is non-NULL, which can lead to a\ndouble-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg\ndevice is subsequently removed/unbound.\nClear cctx->remote_heap after freeing it in the error path to prevent the\nlater cleanup from freeing it again.\n\nThis issue was found by an in-house analysis workflow that extracts AST-based\ninformation and runs static checks, with LLM assistance for triage, and was\nconfirmed by manual code review.\nNo hardware testing was performed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/fastrpc.c"], "versions": [{"version": "0871561055e666da421d779397efcc1e5e964cab", "lessThan": "4b8e527aca357a6488680713bd88007cf8f547fe", "status": "affected", "versionType": "git"}, {"version": "0871561055e666da421d779397efcc1e5e964cab", "lessThan": "0bdee4118340c5a756220c1b29a7dab86bb0aa65", "status": "affected", "versionType": "git"}, {"version": "0871561055e666da421d779397efcc1e5e964cab", "lessThan": "3a164f640953cc982804746e772d379171aff5c6", "status": "affected", "versionType": "git"}, {"version": "0871561055e666da421d779397efcc1e5e964cab", "lessThan": "f67d368d26764a357691b2b3a33d3cb55b435bfc", "status": "affected", "versionType": "git"}, {"version": "0871561055e666da421d779397efcc1e5e964cab", "lessThan": "ba2c83167b215da30fa2aae56b140198cf8d8408", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/fastrpc.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4b8e527aca357a6488680713bd88007cf8f547fe"}, {"url": "https://git.kernel.org/stable/c/0bdee4118340c5a756220c1b29a7dab86bb0aa65"}, {"url": "https://git.kernel.org/stable/c/3a164f640953cc982804746e772d379171aff5c6"}, {"url": "https://git.kernel.org/stable/c/f67d368d26764a357691b2b3a33d3cb55b435bfc"}, {"url": "https://git.kernel.org/stable/c/ba2c83167b215da30fa2aae56b140198cf8d8408"}], "title": "misc: fastrpc: possible double-free of cctx->remote_heap", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: possible double-free of cctx->remote_heap\n\nfastrpc_init_create_static_process() may free cctx->remote_heap on the\nerr_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()\nfrees cctx->remote_heap again if it is non-NULL, which can lead to a\ndouble-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg\ndevice is subsequently removed/unbound.\nClear cctx->remote_heap after freeing it in the error path to prevent the\nlater cleanup from freeing it again.\n\nThis issue was found by an in-house analysis workflow that extracts AST-based\ninformation and runs static checks, with LLM assistance for triage, and was\nconfirmed by manual code review.\nNo hardware testing was performed."}], "id": "CVE-2026-31730", "lastModified": "2026-05-01T15:24:14.893", "metrics": {}, "published": "2026-05-01T15:16:35.577", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0bdee4118340c5a756220c1b29a7dab86bb0aa65"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3a164f640953cc982804746e772d379171aff5c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4b8e527aca357a6488680713bd88007cf8f547fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ba2c83167b215da30fa2aae56b140198cf8d8408"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f67d368d26764a357691b2b3a33d3cb55b435bfc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0871561055e666da421d779397efcc1e5e964cab,4b8e527aca357a6488680713bd88007cf8f547fe)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0871561055e666da421d779397efcc1e5e964cab,0bdee4118340c5a756220c1b29a7dab86bb0aa65)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0871561055e666da421d779397efcc1e5e964cab,3a164f640953cc982804746e772d379171aff5c6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0871561055e666da421d779397efcc1e5e964cab,f67d368d26764a357691b2b3a33d3cb55b435bfc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0871561055e666da421d779397efcc1e5e964cab,ba2c83167b215da30fa2aae56b140198cf8d8408)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.134,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.81,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.22,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.12,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-01T15:45:15.880235+00:00", "updated": "2026-05-01T15:45:15.880295+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}