Skip to main content

Linux Kernel CVE-2026-31741

| EUVDEUVD-2026-26554 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 22:30 vuln.today
CVSS changed
May 07, 2026 - 20:07 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26554
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: prevent counter from being toggled multiple times

Runtime PM counter is incremented / decremented each time the sysfs enable file is written to.

If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message.

rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!

At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel.

If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0.

If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel.

Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.

AnalysisAI

Denial of service via runtime PM usage count underflow in the rz-mtu3-cnt counter driver allows local privileged users to disable hardware counters and trigger kernel warnings by repeatedly writing to the sysfs enable file. Multiple writes of the same value (0 or 1) to the enable attribute cause the runtime PM reference count to become misaligned with actual hardware state, leading to register access with clocks disabled and potential PWM channel conflicts. EPSS exploitation probability is minimal (0.02%) despite local access requirement, indicating this is primarily a local reliability issue rather than a remote attack vector.

Technical ContextAI

The vulnerability exists in the Linux kernel's rz-mtu3-cnt hardware counter driver, which manages MTU3 (Multi-function Timer Unit 3) counter devices through sysfs interfaces. The driver uses runtime PM (Power Management) to control clock gating for the underlying hardware. The root cause is the absence of state validation when processing sysfs writes to the enable file - the driver increments or decrements the runtime PM usage counter without first checking whether the counter is already in the requested state. This causes usage count to drift out of sync with actual hardware enabled/disabled state. The rz_mtu3_terminate_counter() function attempts hardware register access when the clock domain is already powered down, and PWM channel ownership conflicts occur when the counter is disabled while PWM is active. Affected products identified by CPE:2.3:a:linux:linux affecting all Linux distributions shipping vulnerable kernel versions.

RemediationAI

Apply vendor-released kernel patches immediately: upgrade to Linux 6.6.134, 6.18.22, 6.19.12, 7.0, or 6.12.81 depending on your stable branch (patch commits available at https://git.kernel.org/stable/c/885aa739a07ab45e90dfa997205acec97979ce4e and related commit hashes). The fix implements state caching by checking the cached count_is_enabled value before modifying runtime PM counters, preventing redundant increment/decrement operations. For systems unable to update immediately, restrict sysfs write permissions to the rz-mtu3-cnt enable attribute using standard Linux access controls (chmod/ACLs on /sys/devices/.../enable or cgroup device access restrictions). This prevents unprivileged users from triggering the vulnerability but may break legitimate counter management workflows if applications depend on repeated writes. Alternatively, disable the rz-mtu3-cnt driver module if counter functionality is not required (rmmod rz_mtu3_cnt, then blacklist in modprobe.d), though this loses hardware counter access entirely.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy