What is the CVSS score of CVE-2026-46270?

CVE-2026-46270 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel are affected by CVE-2026-46270?

The Linux kernel rt9455 driver vulnerability (CVSS 8.4) creates risk of system crashes and memory corruption on devices with this battery charger hardware.. A patch is available.

How to fix or mitigate CVE-2026-46270?

Within 24 hours, identify systems with rt9455 driver via kernel logs and hardware audits. Within 7 days, apply kernel security updates containing the driver fix from your Linux distribution or device vendor. Within 30 days, complete patch deployment across all identified systems and verify functionality post-update.

Linux Kernel CVE-2026-46270

EUVD-2026-34132 HIGH

Use After Free (CWE-416)

2026-06-03 Linux

GHSA-vj56-8x44-c882

Denial Of Service Linux Memory Corruption Use After Free

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 05, 2026 - 07:30 vuln.today

CVSS changed

Jun 05, 2026 - 07:22 NVD

8.4 (HIGH)

Patch available

Jun 03, 2026 - 19:01 EUVD

CVE Published

Jun 03, 2026 - 15:50 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 03, 2026 - 15:50 nvd

HIGH 8.4

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: rt9455: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Gain local access to embedded device

Delivery

Identify rt9455 driver bound to RT9455 charger

Exploit

Trigger driver unbind via sysfs

Execution

Race IRQ delivery against devm_ teardown

Persist

Power_supply_changed() dereferences freed handle

Impact

Kernel use-after-free crash or memory corruption

Access

Gain local access to embedded device

Delivery

Identify rt9455 driver bound to RT9455 charger

Exploit

Trigger driver unbind via sysfs

Execution

Race IRQ delivery against devm_ teardown

Persist

Power_supply_changed() dereferences freed handle

Impact

Kernel use-after-free crash or memory corruption

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) hardware that uses the Richtek RT9455 battery charger IC with the rt9455 kernel driver loaded - predominantly embedded Linux devices, handhelds, and certain SBCs, not general-purpose servers or desktops; (2) local access to the device, since the CVSS vector is AV:L; (3) the ability to trigger driver probe or remove cycles concurrently with charger interrupts, which in practice means root or equivalent access to driver bind/unbind sysfs entries despite the CVSS PR:N reflecting that the IRQ itself is hardware-sourced; and (4) winning a narrow timing race between IRQ delivery and devm_ teardown. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The signals diverge sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	On an embedded device using the RT9455 charger, a local attacker with the ability to unbind the driver (typically root via sysfs) repeatedly unbinds the rt9455 device while charger-state interrupts are firing, racing the IRQ handler against devm_ teardown so it dereferences a freed power_supply pointer. The resulting use-after-free yields a kernel crash (denial of service) or, with careful heap grooming, potential memory corruption that could be escalated. …
Remediation	Vendor-released patch: upgrade to Linux 7.0 (mainline) or one of the patched stable releases - 6.19.4, 6.18.14, 6.12.75, 6.6.128, 6.1.165, 5.15.202, or 5.10.252 - depending on which long-term branch your distribution tracks; commit references are at https://git.kernel.org/stable/c/d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfc and the seven sibling hashes listed in the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify systems with rt9455 driver via kernel logs and hardware audits. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46244 CRITICAL Act Now

9.1 Jun 03

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to for

CVE-2026-46266 CRITICAL Act Now

9.1 Jun 03

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (proto

CVE-2026-46264 HIGH This Week

8.8 Jun 03

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initial

CVE-2026-46273 HIGH This Week

8.6 Jun 03

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical net

CVE-2026-46251 HIGH This Week

8.4 Jun 03

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger mem

CVE-2026-46270 vulnerability details – vuln.today

Back

Linux Kernel CVE-2026-46270

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code