Skip to main content

Linux Kernel CVE-2026-45867

| EUVDEUVD-2026-32333 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-42vv-474v-7pc6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local trigger via driver teardown timing makes AC:H; PR:L for local unbind capability; primary impact is memory corruption and crash (I:H/A:H) with no direct confidentiality disclosure (C:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:17 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: act8945a: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.

Technical ContextAI

The ACT8945A is an Active-Semi PMIC (power management IC) with an integrated battery charger, supported by the Linux power supply subsystem driver drivers/power/supply/act8945a_charger.c. The root cause is CWE-416 (Use After Free) stemming from devm_ (managed resource) ordering: devres frees resources in reverse order of acquisition, so requesting the charger IRQ via devm_request_irq() before registering the power_supply via devm_power_supply_register() means the power_supply object is freed first during driver removal while the IRQ is still live. A late-firing interrupt then dereferences the freed handle inside power_supply_changed(). The same ordering also opens a probe-time window where an IRQ can fire before the handle is initialized. The fix reorders allocation so the IRQ is requested only after power_supply registration completes.

RemediationAI

Apply the upstream kernel fix by upgrading to a patched stable release for your series: Vendor-released patch: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 (use the first patched version at or above your running branch). The corresponding stable commits are available at https://git.kernel.org/stable/c/ (e.g. 697bb5dc0cb4791e244f3970b067bc1ef33be9d9). If you cannot patch immediately, a targeted compensating control is to unbind or blacklist the act8945a_charger module on systems that do not actually use the ACT8945A PMIC, which removes the vulnerable code path entirely with no functional loss on unaffected hardware; on boards that do rely on the PMIC for charging this is not viable since it disables battery/charger status reporting. Avoid repeated driver bind/unbind or hot device-removal cycles on affected kernels, as these are what trigger the race. Distribution kernels should be updated via the vendor's normal channel referencing CVE-2026-45867 / EUVD-2026-32333.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy