Skip to main content

Linux CVE-2026-23283

| EUVDEUVD-2026-15206 MEDIUM
2026-03-25 Linux GHSA-xp6c-q838-c8v5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 22, 2026 - 00:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15206
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

regulator: fp9931: Fix PM runtime reference leak in fp9931_hwmon_read()

In fp9931_hwmon_read(), if regmap_read() failed, the function returned the error code without calling pm_runtime_put_autosuspend(), causing a PM reference leak.

AnalysisAI

A PM runtime reference leak exists in the Linux kernel's fp9931 regulator driver hwmon interface, where the pm_runtime_put_autosuspend() function fails to be called when regmap_read() encounters an error, causing the power management reference count to become unbalanced. This affects all Linux kernel versions with the vulnerable fp9931 driver code. While not directly exploitable for code execution, the reference leak can lead to device power management failures, potential denial of service through resource exhaustion, or unexpected device behavior in systems using the FP9931 regulator hardware.

Technical ContextAI

The fp9931 is a regulator driver in the Linux kernel that interfaces with FP9931 hardware regulators, exposing hwmon (hardware monitoring) interfaces for reading operational parameters. The vulnerability exists in the fp9931_hwmon_read() function which uses pm_runtime_get_sync() to ensure the device is powered before performing register reads via regmap_read(). The root cause is improper error handling: when regmap_read() fails and returns an error code, the function immediately returns without invoking the corresponding pm_runtime_put_autosuspend() cleanup call. This violates resource acquisition and release pairing principles (CWE-775: Missing Release of File Descriptor or Handle After Effective Lifetime, and related to CWE-401: Missing Release of Memory after Effective Lifetime). The affected products are identified via CPE cpe:2.3:a:linux:linux (all versions containing the vulnerable fp9931 driver code prior to the fix commits).

RemediationAI

Upgrade the Linux kernel to a version containing the fp9931 PM runtime reference leak fix by applying or pulling the stable kernel commits ada571018d54c2381bab7c290577114f9667cda7 or 0902010c8d163f7b62e655efda1a843529152c7c from https://git.kernel.org/stable/. For distributions, check with your Linux vendor for kernel updates that include this fix (typically available as a routine security/stability update). If immediate patching is not possible, monitor hwmon interface usage and system power management behavior for signs of resource accumulation; alternatively, disable hwmon access to the fp9931 driver through security modules or access controls if the hardware monitoring functionality is not essential. After patching, verify the fix by confirming the kernel version matches or exceeds the version containing the cited commit hashes.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy