CVE-2026-31769

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the gpib driver's IO ioctl handlers. The 'IBRD', 'IBWRT', 'IBCMD', and 'IBWAIT' ioctl handlers utilize a gpib descriptor pointer after the board->big gpib mutex has been released. This creates a window where a concurrent 'IBCLOSEDEV' ioctl can trigger close dev ioctl() to free the descriptor, leading to a use-after-free condition. Specifically, the read ioctl, write ioctl, and command ioctl functions release the mutex before calling their handlers, while wait ioctl calls ibwait(), which releases the mutex internally when wait mask is non-zero. In these scenarios, the descriptor pointer retrieved via handle to descriptor() becomes unprotected.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.