Skip to main content

Linux Kernel EUVDEUVD-2026-26544

| CVE-2026-31731 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 18:00 vuln.today
CVSS changed
May 07, 2026 - 15:52 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26544
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Address thermal zone removal races with resume

Since thermal_zone_pm_complete() and thermal_zone_device_resume() re-initialize the poll_queue delayed work for the given thermal zone, the cancel_delayed_work_sync() in thermal_zone_device_unregister() may miss some already running work items and the thermal zone may be freed prematurely [1].

There are two failing scenarios that both start with running thermal_pm_notify_complete() right before invoking thermal_zone_device_unregister() for one of the thermal zones.

In the first scenario, there is a work item already running for the given thermal zone when thermal_pm_notify_complete() calls thermal_zone_pm_complete() for that thermal zone and it continues to run when thermal_zone_device_unregister() starts. Since the poll_queue delayed work has been re-initialized by thermal_pm_notify_complete(), the running work item will be missed by the cancel_delayed_work_sync() in thermal_zone_device_unregister() and if it continues to run past the freeing of the thermal zone object, a use-after-free will occur.

In the second scenario, thermal_zone_device_resume() queued up by thermal_pm_notify_complete() runs right after the thermal_zone_exit() called by thermal_zone_device_unregister() has returned. The poll_queue delayed work is re-initialized by it before cancel_delayed_work_sync() is called by thermal_zone_device_unregister(), so it may continue to run after the freeing of the thermal zone object, which also leads to a use-after-free.

Address the first failing scenario by ensuring that no thermal work items will be running when thermal_pm_notify_complete() is called. For this purpose, first move the cancel_delayed_work() call from thermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent new work from entering the workqueue going forward. Next, switch over to using a dedicated workqueue for thermal events and update the code in thermal_pm_notify() to flush that workqueue after thermal_pm_notify_prepare() has returned which will take care of all leftover thermal work already on the workqueue (that leftover work would do nothing useful anyway because all of the thermal zones have been flagged as suspended).

The second failing scenario is addressed by adding a tz->state check to thermal_zone_device_resume() to prevent it from re-initializing the poll_queue delayed work if the thermal zone is going away.

Note that the above changes will also facilitate relocating the suspend and resume of thermal zones closer to the suspend and resume of devices, respectively.

AnalysisAI

Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.

Technical ContextAI

The Linux kernel thermal subsystem manages CPU/device temperature monitoring and cooling through thermal zones. This vulnerability (CWE-416: Use After Free) occurs in the thermal core's power management integration where thermal_zone_pm_complete() and thermal_zone_device_resume() reinitialize poll_queue delayed work during system resume. Two race windows exist: (1) work items already running when thermal_pm_notify_complete() reinitializes the delayed work are missed by cancel_delayed_work_sync() in thermal_zone_device_unregister(), and (2) thermal_zone_device_resume() can queue new work after thermal_zone_exit() completes but before cancellation occurs. Both scenarios allow work callbacks to execute against freed thermal zone objects. The fix introduces a dedicated thermal workqueue, moves work cancellation earlier in the suspend flow, adds workqueue flushing after thermal_pm_notify_prepare(), and adds state checks to prevent work re-initialization during teardown. Affects Linux kernel versions from 5a5efdaffda5d23717d9117cf36cda9eafcf2fae onward across multiple stable branches.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83 or later for 6.12.x branch, 6.18.22 or later for 6.18.x branch, 6.19.12 or later for 6.19.x branch, or 7.0 or later for mainline. Distribution-specific packages available through standard update channels (apt, yum, dnf, zypper). Verify patch application by checking kernel version with 'uname -r' and confirming presence of commits 1a6d2b001eb7 (6.12 fix), 2dbe93f344f1 (6.18 fix), c4593f1654f7 (6.19 fix), or 45b859b07282 (mainline fix) via 'git log' on kernel source. If immediate patching is not feasible, implement compensating controls: (1) disable automatic suspend/resume on affected systems via 'systemctl mask sleep.target suspend.target' - note this prevents power management benefits, (2) restrict local user access and enforce principle of least privilege to limit PR:L attack prerequisite, (3) enable kernel address space layout randomization (KASLR) if not already active to increase exploitation difficulty, (4) monitor for unexpected system crashes during suspend/resume cycles as potential exploitation indicators. Reboot required after kernel upgrade to activate patched version. Side effects of disabling suspend: increased power consumption on laptops/mobile devices and loss of fast resume capability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy