CVE-2026-31750

MEDIUM

comedi: runflags cannot determine whether to reclaim chanlist

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: comedi: runflags cannot determine whether to reclaim chanlist syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi: Add reference counting for Comedi command handling") did not consider the exceptional exit case in do_cmd_ioctl() where runflags is not set. This caused chanlist not to be properly freed by do_become_nonbusy(), as it only frees chanlist when runflags is correctly set. Added a check in do_become_nonbusy() for the case where runflags is not set, to properly free the chanlist memory. [1] BUG: memory leak backtrace (crc 844a0efa): __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline] do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]

References (2)

Core 2

Core References

https://git.kernel.org/stable/c/830c848aba9f047eb6b34288975ebeb8e8621451

https://git.kernel.org/stable/c/29f644f14b89e6c4965e3c89251929e451190a66

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-401

Status published

Products (8)

Linux/Linux < 6.19

Linux/Linux 4e1da516debbe6a573ffa0392e2809d180d0575c - 29f644f14b89e6c4965e3c89251929e451190a66

Linux/Linux 4e1da516debbe6a573ffa0392e2809d180d0575c - 830c848aba9f047eb6b34288975ebeb8e8621451

Linux/Linux 6.19

Linux/Linux 6.19.12 - 6.19.*

Linux/Linux 7.0

linux/linux_kernel 7.0 rc1 (6 CPE variants)

linux/linux_kernel 6.19 - 6.19.12

Published May 01, 2026

Tracked Since May 01, 2026