Skip to main content

Linux Kernel CVE-2026-46246

| EUVDEUVD-2026-34108 HIGH
Use After Free (CWE-416)
2026-06-03 Linux GHSA-r949-42x5-fm64
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 22:46 vuln.today
CVSS changed
Jun 09, 2026 - 20:37 NVD
7.8 (HIGH)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:49 nvd
HIGH 7.8
CVE Published
Jun 03, 2026 - 15:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the extcon handle, means that the extcon handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the extcon handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling extcon_set_state_sync() with a freed extcon handle. Which usually crashes the system or otherwise silently corrupts the memory...

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the extcon handle.

AnalysisAI

Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.

Technical ContextAI

The vulnerability resides in drivers/power/supply/pm8916_lbc.c, the Linux power supply driver for the Qualcomm PM8916 PMIC linear battery charger commonly found in older Qualcomm SoC platforms (e.g., MSM8916/Snapdragon 410 devices). The bug is a CWE-416 (Use After Free) caused by misuse of the device-managed (devm_) resource framework: devm_ resources are released in reverse order of acquisition (LIFO). Because devm_request_irq() was called before devm_extcon_register(), the extcon handle is freed first during unbind/removal, leaving the still-registered IRQ handler able to dereference a freed pointer when calling extcon_set_state_sync(). The fix reorders allocation so the IRQ is requested only after the extcon handle is registered, ensuring proper teardown ordering.

RemediationAI

Vendor-released patch: Linux 6.12.75, 6.18.14, 6.19.4, or 7.0 - upgrade to the corresponding stable kernel for your branch (commits 47abfc20, 9fab0120, 23067259, 48e0f68b at https://git.kernel.org/stable/). For distributions, pick up the backported stable kernel update once published by your vendor (Debian, Ubuntu, Red Hat, SUSE, Android/AOSP). If patching is not immediately possible, restrict access to driver unbind operations by ensuring /sys/bus/platform/drivers/pm8916_lbc/unbind and module unload paths are accessible only to root (default on standard systems) and avoid runtime unloading of the power supply driver in production; on embedded devices that do not require hot-unbind, blacklisting dynamic driver removal eliminates the trigger entirely. Note that disabling the driver wholesale would break charging functionality on affected hardware, so this is only viable if the device does not use the PM8916 PMIC.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-46246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy