Skip to main content

Linux Kernel EUVDEUVD-2026-32382

| CVE-2026-45916 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5xvw-pq6r-hp3w
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.7 MEDIUM

Race condition (AC:H) reachable only via local driver unbind typically needing root (PR:H/AV:L); impact is kernel memory corruption and crash (I:H/A:H) with no direct data disclosure (C:N).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:50 vuln.today
CVSS changed
Jun 24, 2026 - 17:38 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

power: supply: sbs-battery: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ _before_ the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered _before_ the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the power_supply handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing _before_ registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle *uninitialized* in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the power_supply handle. Keep the old behavior of just printing a warning in case of any failures during the IRQ request and finishing the probe successfully.

AnalysisAI

Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.

Technical ContextAI

The affected component is the SBS (Smart Battery System) driver, drivers/power/supply/sbs-battery.c, which talks to SMBus/I2C smart batteries and uses an optional interrupt line to learn of battery state changes. The root cause is CWE-416 (Use-After-Free), arising from the kernel's devm (managed device resource) ordering guarantee: devm-registered resources are released in reverse order of acquisition. The driver acquired the IRQ (devm_request_threaded_irq) before registering the power_supply object (devm_power_supply_register), so on unbind the power_supply is freed first while the still-armed interrupt handler can race in and dereference the freed handle inside power_supply_changed(). A symmetric probe-time window also exists where an early interrupt could reach an uninitialized handle. The CPE set identifies cpe:2.3:o:linux:linux_kernel as the affected operating-system kernel across many versions.

RemediationAI

Update to a fixed stable kernel for your branch: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 (or later), which reorder the IRQ request to occur after power_supply registration and tolerate IRQ-request failure with a warning. The upstream fix is available as stable commits (e.g. https://git.kernel.org/stable/c/ca7dd71773e4e050b0fb98768b7eae60f8d1f38b and the other git.kernel.org/stable references for CVE-2026-45916), so 'Vendor-released patch' applies via these tagged stable releases. If you cannot patch immediately and the platform allows it, a compensating control is to avoid hot unbind/rebind of the sbs-battery device and restrict root/administrative access that can drive device removal, since the race is reached through unbind or probe timing; on systems with no SBS smart battery, blacklisting/not loading the sbs-battery module removes exposure entirely at the cost of losing battery telemetry for that hardware.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy