Skip to main content

Linux Kernel EUVDEUVD-2026-32345

| CVE-2026-45879 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-ww5g-f76r-4mww
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local access and low privileges to drive probe/removal (AV:L/PR:L); winning a tight IRQ-vs-free race makes AC:H; outcome is memory corruption/crash (I:H/A:H) with no direct disclosure (C:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:32 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: bq25980: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.

Technical ContextAI

The affected component is the bq25980 driver, which supports Texas Instruments BQ25980/BQ25975/BQ25960 switched-cap battery chargers exposed through the kernel's power_supply subsystem. The root cause is CWE-416 (Use After Free). The driver uses devm_-managed resource allocation, where resources are released in reverse order of acquisition. Because the IRQ was requested with devm_ before the power_supply handle was registered with devm_, the power_supply object is torn down first during device removal while the still-live interrupt handler can fire and dereference the now-freed pointer in power_supply_changed(). A symmetric window exists at probe(): an interrupt arriving before the power_supply handle is registered would use an uninitialized handle. The fix reorders initialization so the IRQ is requested only after the power_supply handle is registered. CPE data identifies the affected product generically as cpe:2.3:o:linux:linux_kernel (multiple version ranges), with no version bounds encoded in the CPE strings themselves.

RemediationAI

Apply the vendor (stable kernel) update for your branch: upgrade to at least 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, or 6.19.4, or mainline 7.0, which reorder IRQ registration to occur after the power_supply handle is registered (Vendor-released patch confirmed via the git.kernel.org stable commits, e.g. https://git.kernel.org/stable/c/03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c). For distribution kernels, take the corresponding distro-backported package update. If you cannot patch immediately, the targeted compensating control is to avoid loading or to blacklist the bq25980 module on systems that do not use this TI charger (e.g. add the module to modprobe blacklist), which removes the vulnerable code path entirely with no functional loss on unaffected hardware; on devices that genuinely depend on the charger, avoid repeated unbind/rebind or hot-removal of the driver, since the race is tied to probe/removal timing. Note the trade-off: blacklisting the module disables charger monitoring/control on any board that actually relies on bq25980. Advisory references: https://nvd.nist.gov/vuln/detail/CVE-2026-45879, https://vuldb.com/vuln/366129.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy