CVE Catalog

CVE-2026-31651

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a NULL-pointer dereference vulnerability was found in the vub300 driver for MMC/SD cards over USB during device disconnect. The issue occurs because the controller is not deregistered before dropping the driver data reference, potentially causing a crash.

Risk Assessment

The risk includes kernel panic or use-after-free when disconnecting an MMC/SD card reader via USB, leading to system instability or potential privilege escalation.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit that deregisters the controller before releasing driver data). Monitor official security advisories from your Linux distribution and apply the patch when available.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS