CVE-2026-31689PATCHED

linux · linux kernel

EDAC/mc: Fix error path ordering in edac_mc_alloc()

Description

In the Linux kernel, the following vulnerability has been resolved: EDAC/mc: Fix error path ordering in edac_mc_alloc() When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function. However, the init ordering is wrong such that device_initialize() happens *after* the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called: MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full) RIP: 0010:kobject_put Call Trace: <TASK> edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ... Reorder the calling sequence so that the device is initialized and thus the release function pointer is properly set before it can be used. This was found by Claude while reviewing another EDAC patch.

Affected Products

Vendor	Product	Versions
linux	linux kernel	0bbb265f7089584aaa6d440805ca75ea4f3930d4, 0bbb265f7089584aaa6d440805ca75ea4f3930d4, 0bbb265f7089584aaa6d440805ca75ea4f3930d4, 0bbb265f7089584aaa6d440805ca75ea4f3930d4, 0bbb265f7089584aaa6d440805ca75ea4f3930d4, 0bbb265f7089584aaa6d440805ca75ea4f3930d4, 5.19, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%
open source	open source linux kernel	cert_advisory	90%

References

Related News (4 articles)

Tier A

Microsoft MSRC17h ago

CVE-2026-31689 EDAC/mc: Fix error path ordering in edac_mc_alloc()

→ No new info (linked only)

Tier B

BSI Advisories1d ago

[NEU] [mittel] Linux Kernel: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-31689 | Linux Kernel up to 6.19.12 lib/kobject.c edac_mc_alloc allocation of resources

→ No new info (linked only)

Tier C

Linux Kernel CVEs2d ago

CVE-2026-31689: EDAC/mc: Fix error path ordering in edac_mc_alloc()

→ No new info (linked only)

CVSS 3.10.0 CRITICAL

CISA KEV❌ No

Actively exploited❌ No

Patch available

aae95970fad2127a1bd49d8713c7cd0677dcd2d6d3de72e2a2b9ee3a57734c1c068823e41a707715d20e98c2df9354cc744431ad8ccbf49405b8b40f87ce8ae511962e105bcb3534944208c6a9471ed975825648ce984ca4cebb28e4bd2bf8c3a7e837c551520e03e70d6c73e33ee7cbe0319767d05764fe06.1.1696.6.1356.12.826.18.236.19.137.0

PublishedApr 27, 2026

Last enriched2d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-31431EXP

crypto: algif_aead - Revert to operating out-of-place

Trending: 84

CRITICALCVE-2026-31549EXP

i2c: cp2615: fix serial string NULL-deref at probe

Trending: 59

CRITICALCVE-2026-31661EXP

wifi: brcmsmac: Fix dma_free_coherent() size

Trending: 59

HIGHCVE-2026-23400EXP

rust_binder: call set_notification_done() without proc lock

Trending: 43

HIGHCVE-2026-31548

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

Trending: 40

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 27, 2026

Discovered by ZDM

Apr 27, 2026

Updated: affectedVersions, cvssEstimate, cweIds

Apr 27, 2026

Patch Available

Apr 27, 2026

Updated: affectedVersions, severity, tags

Apr 27, 2026

Version History

Last enriched 2d ago

v3Tier C2d ago

Updated affected versions, changed severity to CRITICAL, and added CVE-2026-31689 as a new tag.

affectedVersionsseveritytags

via VulDB

v2Tier C2d ago

Updated description with more technical detail, added affected version 5.19, changed severity to HIGH, added CWE-119, and marked exploit as available and actively exploited.

affectedVersionscvssEstimatecweIds

via Linux Kernel CVEs

v12d ago

Initial creation