Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Race condition requires specific interrupt timing during driver teardown, warranting AC:H; no confidentiality or integrity impact applies.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
power: supply: max77705: Free allocated workqueue and fix removal order
Use devm interface for allocating workqueue to fix two bugs at the same time:
- Driver leaks the memory on remove(), because the workqueue is not
destroyed.
- Driver allocates workqueue and then registers interrupt handlers
with devm interface. This means that probe error paths will not use a reversed order, but first destroy the workqueue and then, via devm release handlers, free the interrupt.
The interrupt handler schedules work on this exact workqueue, thus if interrupt is hit in this short time window - after destroying workqueue, but before devm() frees the interrupt - the schedulled work will lead to use of freed memory.
Change is not equivalent in the workqueue itself: use non-legacy API which does not set (__WQ_LEGACY | WQ_MEM_RECLAIM). The workqueue is used to update power supply (power_supply_changed()) status, thus there is no point to run it for memory reclaim. Note that dev_name() is not directly used in second argument to prevent possible unlikely parsing any "%" character in device name as format.
AnalysisAI
Use-after-free and memory leak in the Linux kernel max77705 power supply driver expose systems with Maxim MAX77705 PMIC hardware to local denial-of-service. Two concurrent bugs exist: the workqueue is never destroyed on driver removal (memory leak), and a race condition allows an interrupt handler to schedule work on an already-freed workqueue if the interrupt fires after workqueue destruction but before the devm interface releases the interrupt registration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) physical or logical access to a Linux system equipped with a Maxim MAX77705 PMIC - hardware found primarily in Samsung Galaxy S10/Note 10 devices and certain embedded boards; (2) a kernel with CONFIG_CHARGER_MAX77705 enabled (compiled in or as a loadable module); (3) local code execution with at least low-privilege credentials to influence device state or module lifecycle; (4) a race condition timing window during driver removal or probe error path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low-to-moderate for the narrow hardware cohort this driver serves, and negligible for general infrastructure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a Samsung Galaxy S10/Note 10 or embedded Linux platform with a MAX77705 PMIC triggers rapid module removal or system suspend/resume cycles while the device generates charging interrupts. If the interrupt fires in the narrow window after the workqueue is destroyed but before devm releases the interrupt handler, the kernel executes schedule_work() against freed memory, potentially causing a kernel panic or exploitable memory corruption. … |
| Remediation | The primary fix is to upgrade to a patched stable kernel release: Linux 7.0.10 (patch commit b98e4e57e34d099a8f846fa54749654082975ea0, see https://git.kernel.org/stable/c/b98e4e57e34d099a8f846fa54749654082975ea0) or Linux 7.1 (patch commit 1e668baadefb16e81269dbfebf3ffc2672e3a3bb, see https://git.kernel.org/stable/c/1e668baadefb16e81269dbfebf3ffc2672e3a3bb). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39843
GHSA-2vjf-7vmh-8jpp