Skip to main content

Linux Kernel CVE-2026-53308

| EUVDEUVD-2026-39843 MEDIUM
Memory Leak (CWE-401)
2026-06-26 Linux GHSA-2vjf-7vmh-8jpp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires specific interrupt timing during driver teardown, warranting AC:H; no confidentiality or integrity impact applies.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 20:32 vuln.today
CVSS changed
Jul 06, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:41 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 26, 2026 - 19:41 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: max77705: Free allocated workqueue and fix removal order

Use devm interface for allocating workqueue to fix two bugs at the same time:

  1. Driver leaks the memory on remove(), because the workqueue is not

destroyed.

  1. Driver allocates workqueue and then registers interrupt handlers

with devm interface. This means that probe error paths will not use a reversed order, but first destroy the workqueue and then, via devm release handlers, free the interrupt.

The interrupt handler schedules work on this exact workqueue, thus if interrupt is hit in this short time window - after destroying workqueue, but before devm() frees the interrupt - the schedulled work will lead to use of freed memory.

Change is not equivalent in the workqueue itself: use non-legacy API which does not set (__WQ_LEGACY | WQ_MEM_RECLAIM). The workqueue is used to update power supply (power_supply_changed()) status, thus there is no point to run it for memory reclaim. Note that dev_name() is not directly used in second argument to prevent possible unlikely parsing any "%" character in device name as format.

AnalysisAI

Use-after-free and memory leak in the Linux kernel max77705 power supply driver expose systems with Maxim MAX77705 PMIC hardware to local denial-of-service. Two concurrent bugs exist: the workqueue is never destroyed on driver removal (memory leak), and a race condition allows an interrupt handler to schedule work on an already-freed workqueue if the interrupt fires after workqueue destruction but before the devm interface releases the interrupt registration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access local shell on MAX77705-equipped device
Delivery
Trigger driver removal or rapid hotplug cycle
Exploit
Interrupt fires after workqueue freed
Execution
schedule_work() dereferences freed workqueue
Persist
Kernel panic or memory corruption
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) physical or logical access to a Linux system equipped with a Maxim MAX77705 PMIC - hardware found primarily in Samsung Galaxy S10/Note 10 devices and certain embedded boards; (2) a kernel with CONFIG_CHARGER_MAX77705 enabled (compiled in or as a loadable module); (3) local code execution with at least low-privilege credentials to influence device state or module lifecycle; (4) a race condition timing window during driver removal or probe error path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate for the narrow hardware cohort this driver serves, and negligible for general infrastructure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a Samsung Galaxy S10/Note 10 or embedded Linux platform with a MAX77705 PMIC triggers rapid module removal or system suspend/resume cycles while the device generates charging interrupts. If the interrupt fires in the narrow window after the workqueue is destroyed but before devm releases the interrupt handler, the kernel executes schedule_work() against freed memory, potentially causing a kernel panic or exploitable memory corruption. …
Remediation The primary fix is to upgrade to a patched stable kernel release: Linux 7.0.10 (patch commit b98e4e57e34d099a8f846fa54749654082975ea0, see https://git.kernel.org/stable/c/b98e4e57e34d099a8f846fa54749654082975ea0) or Linux 7.1 (patch commit 1e668baadefb16e81269dbfebf3ffc2672e3a3bb, see https://git.kernel.org/stable/c/1e668baadefb16e81269dbfebf3ffc2672e3a3bb). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy