Skip to main content

Linux Kernel EUVDEUVD-2026-32351

| CVE-2026-45885 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pxv4-rwxf-m755
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local race condition needs privileged driver lifecycle access (PR:L) and is non-deterministic (AC:H); primary impact is a crash (A:H) with limited integrity from memory corruption (I:L) and no confidentiality disclosure.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:32 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: cpcap-battery: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle.

AnalysisAI

Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.

Technical ContextAI

The affected component is drivers/power/supply/cpcap-battery.c, the battery driver for the Motorola CPCAP (CPCAP PMIC) found in OMAP4-based devices such as the Droid 4. The root cause is CWE-416 (Use After Free) arising from the ordering of managed-resource (devm_) allocations: because devm_ resources are released in reverse order of acquisition, requesting the IRQ before registering the power_supply object means the power_supply is unregistered/freed first on removal, leaving a live IRQ that calls power_supply_changed() on a dangling pointer. The mirror-image problem exists at probe time, where an interrupt firing before the power_supply is registered would dereference an uninitialized handle. The fix reorders initialization so the IRQ is requested only after the power_supply is registered. Affected CPE is cpe:2.3:o:linux:linux_kernel (wildcard versions); the bug dates back to the driver's introduction (kernel ~4.13).

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 (or later) - matching your kernel branch; the upstream fix simply reorders driver init so the IRQ is requested after the power_supply is registered. Apply the relevant stable commit (e.g. https://git.kernel.org/stable/c/f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a) referenced from https://nvd.nist.gov/vuln/detail/CVE-2026-45885. If immediate patching is not possible, the practical compensating control is to avoid triggering the race: do not unbind/rebind or hot-remove the cpcap-battery driver, and on systems that do not use Motorola CPCAP hardware blacklist the cpcap_battery module entirely (modprobe blacklist) so it never loads - the side effect being loss of battery monitoring on any device that genuinely depends on it. Restricting which local users can trigger driver bind/unbind (sysfs and module load permissions are root-only by default) further limits the window.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy