Skip to main content

Linux Kernel CVE-2026-45906

| EUVDEUVD-2026-32372 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-29r6-f3mm-4w5f
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local timing race needing privileged driver probe/removal gives AV:L, AC:H and PR:H; UAF allows kernel memory corruption, so C/I/A:H.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 16:39 vuln.today
CVSS changed
Jun 24, 2026 - 16:37 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: pf1550: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Technical ContextAI

The affected component is the NXP PF1550 PMIC charger/power-supply driver in the Linux kernel power_supply subsystem. The root cause is CWE-416 (Use-After-Free) arising from devm (managed device resource) deallocation ordering: devm releases resources in reverse order of acquisition, so requesting the IRQ via devm_request_*_irq() before registering the power_supply via devm_power_supply_register() guarantees the power_supply object is torn down before its interrupt handler is unregistered. A device interrupt firing in that window calls power_supply_changed() against freed (on removal) or not-yet-initialized (on probe) memory. The fix reorders allocation so the IRQ is requested only after the power_supply handle is registered, closing the race window at both probe and removal.

RemediationAI

Vendor-released patch: upgrade to Linux 6.19.4 (or mainline 7.0) or later, or apply the stable backport commits 1bdefeed904f1f17e1f73a4d8a035515f3a9fad8 and 838767f5074700552d3f006d867caed65edc7328 from git.kernel.org. As a compensating control on systems that cannot patch immediately, prevent loading the pf1550 driver if the PF1550 PMIC is not required (blacklist the module), and restrict driver bind/unbind and module load/unload to root only (these are root-gated by default) to limit who can trigger the probe/removal race - the trade-off is that blacklisting disables PF1550 charger/power monitoring entirely, so only do this on hardware that does not depend on it. There is no application-level workaround since the bug is in kernel driver lifecycle ordering; patching is the only complete fix.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy