Skip to main content

Linux Kernel CVE-2026-45882

| EUVDEUVD-2026-32348 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2h3q-mh3q-c4fj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local privileged trigger (AV:L/PR:L); race condition timing makes it high-complexity (AC:H); realistic impact is a crash/DoS (A:H) with no confidentiality loss and only incidental integrity from memory corruption.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:32 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.

Technical ContextAI

The affected component is drivers/power/supply/pm8916_bms_vm.c, the voltage-mode battery management system driver for Qualcomm's PM8916 PMIC, used with Snapdragon 410-class platforms. The root cause is CWE-416 (Use After Free): Linux's devm (device-managed) resource API automatically frees resources in reverse order of allocation at driver detach. Because the driver called devm_request_irq() before devm-registering the power_supply object, teardown freed the power_supply handle first while the IRQ remained armed, and conversely an IRQ arriving during probe before registration could touch an uninitialized handle. In either window the handler invokes power_supply_changed() on an invalid pointer. The fix reorders initialization so the IRQ is requested only after the power_supply handle is registered, closing both the removal race and the probe race.

RemediationAI

Upgrade to a patched Linux kernel: per the EUVD data the fix landed in stable releases 6.12.75, 6.18.14, 6.19.4, and 7.0, so apply your distribution's update that incorporates one of these (or backport stable commits 62914959b35e, b69bb88e20c6, 17db6b3abd82, or a8b7117ae3a7 from git.kernel.org/stable/c/). Vendor-released patch available. If immediate patching is not possible and the device uses this driver, the only meaningful compensating control is to avoid triggering the race by not unbinding/unloading or repeatedly rebinding the pm8916_bms_vm driver at runtime (the use-after-free is exercised during driver removal/probe), and to restrict local privileged access that could script module/device detach; if the battery-monitoring functionality is not needed on a given board, blacklisting or not building the module removes the affected code entirely at the cost of losing PM8916 BMS battery reporting. Refer to the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-45882 and the kernel stable commits.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy