Skip to main content

Linux Kernel CVE-2026-45902

| EUVDEUVD-2026-32368 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h63c-9r2v-9cmw
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local trigger needs charger hardware and a probe/removal timing race (AV:L, AC:H); practical impact is memory corruption and crash (I:H/A:H), with no real confidentiality leak (C:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 16:37 vuln.today
CVSS changed
Jun 24, 2026 - 16:37 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: bq256xx: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.

Technical ContextAI

The affected component is the bq256xx driver under the kernel's power-supply subsystem, which manages Texas Instruments BQ256xx-series I2C battery chargers. The root cause is CWE-416 (Use-After-Free) arising from incorrect ordering of managed-device (devm_) resource registration: the driver requested its IRQ via devm_request_threaded_irq() before allocating/registering the power_supply object via devm_power_supply_register(). Because devm_ resources are torn down in reverse allocation order, on driver unbind the power_supply handle is freed before the IRQ handler is unregistered, leaving a window where a charger interrupt invokes power_supply_changed() on dangling memory. A symmetric problem exists at probe time: an interrupt arriving before power_supply registration completes would dereference an uninitialized handle. The fix reorders initialization so the IRQ is requested only after power_supply registration succeeds. Per CPE data the affected product is cpe:2.3:o:linux:linux_kernel across multiple version ranges.

RemediationAI

Apply the vendor-released kernel patch by upgrading to a fixed stable release for your branch: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, or 6.19.4 (or later within each series); the corresponding upstream fix commits are published at git.kernel.org (e.g. https://git.kernel.org/stable/c/4b6fb0b6124f558131e502e3ffd03e6583b3ace6 and the sibling stable commits). For distribution kernels, install the vendor kernel update that backports these commits and reboot. As a compensating control where immediate patching is not possible and the BQ256xx charger is not needed, blacklist or unload the bq256xx module (e.g. via modprobe blacklist) to remove the vulnerable code path entirely - the trade-off is loss of charger management/monitoring on devices that rely on this hardware. Avoid scripted or repeated driver bind/unbind of this charger on production systems, since the use-after-free window is tied to probe/removal. Reference the NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-45902) and VulDB entry (https://vuldb.com/vuln/366143) for tracking.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy