Skip to main content

Linux Kernel CVE-2026-45946

| EUVDEUVD-2026-32230 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wp75-7gqm-j93m
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.0 MEDIUM

Local race in a driver lifecycle path requires root-level control over bind/unbind or module load (PR:H), winning a narrow IRQ timing window (AC:H); kernel UAF yields high integrity/availability impact, limited confidentiality leakage.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 04:43 vuln.today
CVSS changed
Jun 16, 2026 - 02:37 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: ab8500: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") introduced this issue during a refactorization. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.

Technical ContextAI

The ab8500 driver uses devm_-managed (device-managed) resources, which the kernel releases in reverse order of allocation when the device is torn down. The buggy commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") registered the IRQ via devm_request_irq() before registering the power_supply handle via devm_power_supply_register(), so on removal the power_supply object is freed first while the IRQ can still fire. A similar window exists during probe before the handle is initialized. This is a textbook CWE-416 (Use-After-Free) in kernel space, specific to platforms using the ST-Ericsson AB8500 PMIC (historically Snowball/Ux500 ARM boards), and is fixed by reordering allocations so the IRQ is requested only after power_supply registration completes.

RemediationAI

Vendor-released patch: upgrade to a Linux kernel containing the fix - 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 (or apply one of the stable backport commits listed on git.kernel.org/stable/c/43cbb78ee047b9b12d096d40e3be265969d4c1f8 and the six sibling commits). On distributions, take the next vendor kernel update that incorporates these stable patches. As a compensating control for systems that cannot be patched immediately, restrict the ability to load/unload the ab8500 driver and to bind/unbind the device via sysfs by tightening CAP_SYS_MODULE and root access (trade-off: blocks legitimate hot-reconfiguration); alternatively, blacklist the ab8500_charger/ab8500_btemp/ab8500_fg/ab8500_chargalg modules if the AB8500 PMIC is not in use on the platform (trade-off: disables battery/charger management on AB8500-based hardware, which is unacceptable on affected ST-Ericsson Ux500/Snowball-class devices).

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy