Skip to main content

Linux Kernel CVE-2026-45936

| EUVDEUVD-2026-32220 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mj3c-jc9w-939m
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local-only race condition (AV:L/AC:H) requiring privilege to drive driver probe/removal teardown (PR:H); successful use-after-free yields full kernel memory compromise (C/I/A:H).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:31 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: goldfish: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.

Technical ContextAI

The affected component is the goldfish_battery driver, a virtual power-supply/battery device exposed by the Android 'goldfish' emulator platform (QEMU-based). The root cause is CWE-416 (Use-After-Free) arising from incorrect ordering of devm_-managed resources: because devres frees in reverse order of allocation, requesting the IRQ before allocating/registering the power_supply object causes the power_supply to be torn down first, leaving the IRQ handler briefly active with a dangling pointer. The same ordering also creates a probe-time window where an interrupt can reference the not-yet-registered handle. The fix reorders initialization so the IRQ is requested only after power_supply registration, closing both the removal-time and probe-time races. CPE data scopes this to cpe:2.3:o:linux:linux_kernel across multiple stable branches.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, or 6.19.4 (or later on your branch), per the git.kernel.org stable commits referenced in EUVD-2026-32220. There is no configuration workaround for the race itself, but because the bug is confined to the goldfish_battery driver, an effective compensating control on systems that do not need it is to avoid loading the module - blacklist goldfish_battery (e.g. via /etc/modprobe.d) or build a kernel without CONFIG_BATTERY_GOLDFISH; the trade-off is loss of virtual battery reporting inside goldfish/Android emulator guests, which is irrelevant on production hosts. Where the driver is required (emulator/CI images), apply the kernel update and avoid repeated driver unbind/rebind cycles by untrusted local users. Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-45936.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy