Skip to main content

Linux Kernel CVE-2026-46292

| EUVDEUVD-2026-35158 MEDIUM
Missing Release of Resource after Effective Lifetime (CWE-772)
2026-06-08 Linux GHSA-6pv2-qc8v-r267
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to trigger device detach; impact is purely availability via kernel NULL pointer dereference with no data exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 22:33 vuln.today
CVSS changed
Jul 08, 2026 - 21:37 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

pmdomain: core: Fix detach procedure for virtual devices in genpd

If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(), genpd calls pm_runtime_enable() for the corresponding virtual device that it registers. While this avoids boilerplate code in drivers, there is no corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().

This means these virtual devices are typically detached from its genpd, while runtime PM remains enabled for them, which is not how things are designed to work. In worst cases it may lead to critical errors, like a NULL pointer dereference bug in genpd_runtime_suspend(), which was recently reported. For another case, we may end up keeping an unnecessary vote for a performance state for the device.

To fix these problems, let's add this missing call to pm_runtime_disable() in genpd_dev_pm_detach().

AnalysisAI

Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.

Technical ContextAI

The Linux kernel's Generic Power Domain (genpd) framework manages power states for SoC peripherals, particularly prevalent on ARM-based embedded and mobile platforms. When a driver calls genpd_dev_pm_attach_by_id(), genpd registers a virtual device and enables runtime power management via pm_runtime_enable(). The bug (CWE-772: Missing Release of Resource after Effective Lifetime) is a symmetric API violation: pm_runtime_enable() is called during attach but the corresponding pm_runtime_disable() is never invoked during detach in genpd_dev_pm_detach(). This leaves runtime PM active for a virtual device that is no longer bound, creating a dangling state where the PM subsystem may attempt to suspend a device with a partially or fully torn-down state, triggering a NULL pointer dereference in genpd_runtime_suspend(). A secondary effect is unnecessary votes being retained for device performance states. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, introduced at commit 3c095f32a92be4d07f3172a777dab1aacdb6a728.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched stable release: 6.6.141, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3, depending on the branch tracked by your distribution. Upstream fix commits are available at git.kernel.org and can be cherry-picked into out-of-tree kernels if a full upgrade is not immediately feasible. Systems that do not use any drivers invoking genpd_dev_pm_attach_by_id() are not exposed; administrators on embedded or SoC platforms can audit their driver tree with grep -r 'genpd_dev_pm_attach_by_id' to confirm exposure. As a compensating control prior to patching, restricting unprivileged local user access via SELinux, AppArmor, or reduced attack surface (removing unnecessary local accounts) reduces the risk of a local attacker intentionally triggering the detach path. Applying the kernel patch does not introduce known functional regressions, as it simply adds the missing symmetric pm_runtime_disable() call.

Share

CVE-2026-46292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy