Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges required to trigger device detach; impact is purely availability via kernel NULL pointer dereference with no data exposure.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: core: Fix detach procedure for virtual devices in genpd
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(), genpd calls pm_runtime_enable() for the corresponding virtual device that it registers. While this avoids boilerplate code in drivers, there is no corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd, while runtime PM remains enabled for them, which is not how things are designed to work. In worst cases it may lead to critical errors, like a NULL pointer dereference bug in genpd_runtime_suspend(), which was recently reported. For another case, we may end up keeping an unnecessary vote for a performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable() in genpd_dev_pm_detach().
AnalysisAI
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
Technical ContextAI
The Linux kernel's Generic Power Domain (genpd) framework manages power states for SoC peripherals, particularly prevalent on ARM-based embedded and mobile platforms. When a driver calls genpd_dev_pm_attach_by_id(), genpd registers a virtual device and enables runtime power management via pm_runtime_enable(). The bug (CWE-772: Missing Release of Resource after Effective Lifetime) is a symmetric API violation: pm_runtime_enable() is called during attach but the corresponding pm_runtime_disable() is never invoked during detach in genpd_dev_pm_detach(). This leaves runtime PM active for a virtual device that is no longer bound, creating a dangling state where the PM subsystem may attempt to suspend a device with a partially or fully torn-down state, triggering a NULL pointer dereference in genpd_runtime_suspend(). A secondary effect is unnecessary votes being retained for device performance states. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, introduced at commit 3c095f32a92be4d07f3172a777dab1aacdb6a728.
RemediationAI
The primary fix is to upgrade the Linux kernel to a patched stable release: 6.6.141, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3, depending on the branch tracked by your distribution. Upstream fix commits are available at git.kernel.org and can be cherry-picked into out-of-tree kernels if a full upgrade is not immediately feasible. Systems that do not use any drivers invoking genpd_dev_pm_attach_by_id() are not exposed; administrators on embedded or SoC platforms can audit their driver tree with grep -r 'genpd_dev_pm_attach_by_id' to confirm exposure. As a compensating control prior to patching, restricting unprivileged local user access via SELinux, AppArmor, or reduced attack surface (removing unnecessary local accounts) reduces the risk of a local attacker intentionally triggering the detach path. Applying the kernel patch does not introduce known functional regressions, as it simply adds the missing symmetric pm_runtime_disable() call.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35158
GHSA-6pv2-qc8v-r267