Skip to main content

Linux Kernel CVE-2026-46073

| EUVDEUVD-2026-32455 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4x22-m2xr-v7q7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges required to signal a process using a physically-attached POWERZ USB device; no confirmed confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:10 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt

wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when interrupted. This needs to abort the URB and return an error. No data has been received from the device so any reads from the transfer buffer are invalid.

The original code tests !ret, which only catches the timeout case (0). On signal delivery (-ERESTARTSYS), !ret is false so the function skips usb_kill_urb() and falls through to read from the unfilled transfer buffer.

Fix by capturing the return value into a long (matching the function return type) and handling signal (negative) and timeout (zero) cases with separate checks that both call usb_kill_urb() before returning.

AnalysisAI

Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.

Technical ContextAI

The powerz driver (Linux hwmon subsystem) supports POWERZ-brand USB power meters by issuing URBs to asynchronously fetch measurement data from the device. The driver calls wait_for_completion_interruptible_timeout() to block until the USB transfer completes. This function has three distinct return semantics: positive (data received), 0 (timeout), and -ERESTARTSYS (interrupted by a Unix signal). The original code tested !ret - a condition that is true only for the timeout case (0) - leaving -ERESTARTSYS unhandled. On signal delivery, the function returned false, bypassed usb_kill_urb(), and fell through to read from the transfer buffer that the device had never filled, effectively consuming stale or uninitialized DMA memory. The fix captures the return value into a long and adds explicit branches for both negative (signal) and zero (timeout) cases, each calling usb_kill_urb() before returning. The root cause maps to CWE-252 (Unchecked Return Value) combined with CWE-908 (Use of Uninitialized Resource). CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Update to a patched kernel stable release: Linux 6.12.86, 7.0.4, or 6.18.27 per EUVD-2026-32455 data, applying the upstream stable commits referenced at https://git.kernel.org/stable/ for the respective branch. For systems that cannot be patched immediately, blacklisting the powerz kernel module eliminates the attack surface entirely: add 'blacklist powerz' to /etc/modprobe.d/blacklist.conf and run depmod -a, then reboot or run modprobe -r powerz. The trade-off is loss of POWERZ USB power meter monitoring functionality. Physically disconnecting POWERZ USB devices achieves the same isolation without a kernel change. No compensating control is needed on systems that have never had POWERZ hardware attached, as the driver will not be loaded.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46073 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy