Skip to main content

Linux Kernel CVE-2026-31740

| EUVDEUVD-2026-26553 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 22:30 vuln.today
CVSS changed
May 07, 2026 - 20:07 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26553
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member

The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7.

The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value.

The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member.

The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM.

Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device.

To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.

AnalysisAI

Denial of service in Linux kernel counter driver (rz-mtu3-cnt) allows local attackers with low privileges to crash the system by exploiting a race condition where counter and PWM sub-drivers overwrite a shared device pointer, causing incorrect runtime power management operations. The vulnerability affects kernel versions prior to specific patch levels across the 6.x and 7.x branches, with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood despite the availability of a vendor patch.

Technical ContextAI

The Linux kernel's Renesas MTU3 counter driver (rz-mtu3-cnt) and PWM driver share hardware channels 1 and 2, both attempting to assign their respective struct device pointers to the same dev member of struct rz_mtu3_channel. The counter driver relies on this dev member for runtime PM (power management) operations. When both drivers probe, they race to assign their own struct device instance, potentially overwriting the previous value. Depending on probe order, the counter driver may perform runtime PM actions (such as pm_runtime_get_sync or pm_runtime_put) on the wrong device instance, leading to unbalanced power state transitions and system instability. The fix replaces use of the shared struct member with the counter driver's parent pointer, which is correctly assigned during probe.

RemediationAI

Update the Linux kernel to a patched version: Linux 6.6.134 or later, Linux 6.12.81 or later, Linux 6.18.22 or later, Linux 6.19.12 or later, or Linux 7.0 or later depending on the currently deployed kernel branch. The upstream fix is committed to stable branches at commits 28a371be901ef44ee03726c2575d7d6795521fe0 (6.6), 633dfbf0eb2766c597c1a59dd83035c82e14791d (6.12), 6562290225c197e2e193a53de2a517815288dcd1 (6.18), 63be324c795262f0e316c6fe9b329d83afa1ec93 (6.19), and 2932095c114b98cbb40ccf34fc00d613cb17cead (7.0). For systems unable to immediately update, disabling the CONFIG_RZ_MTU3_CNT kernel config option (counter driver) eliminates the race condition but loses counter functionality; alternatively, disabling CONFIG_PWM_RZ_MTU3 (PWM driver) prevents shared hardware contention if counter functionality is non-critical. Both workarounds require kernel recompilation and reboot. Patch references available at https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0 and related stable commit URLs.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy