Skip to main content

Linux Kernel EUVDEUVD-2026-32402

| CVE-2026-46021 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7x76-cw6q-rm95
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition between sysfs write and kernel unregistration warrants AC:H; PR:L reflects sysfs write access; no confidentiality or integrity impact is confirmed by available data.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 18:28 vuln.today
CVSS changed
Jun 16, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix thermal zone governor cleanup issues

If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak.

In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case.

Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration.

AnalysisAI

Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.

Technical ContextAI

The Linux kernel thermal management subsystem (drivers/thermal/thermal_core.c) manages thermal zones - abstract representations of hardware temperature sensors - paired with thermal governors (control algorithms such as 'step_wise' or 'power_allocator') and trip points. Thermal zone lifecycle is managed via thermal_zone_device_register_with_trips() for registration and thermal_zone_device_unregister() for removal. The governor attachment and detachment function, thermal_set_governor(), modifies shared state and must be called while holding the thermal zone lock to prevent concurrent access. CWE-401 (Missing Release of Memory after Effective Lifetime) manifests in the registration error path: when thermal_zone_device_register_with_trips() fails after a governor has already been attached, it does not call thermal_set_governor(NULL) to detach and free the governor reference, leaving orphaned memory. The race condition arises because thermal_zone_device_unregister() calls thermal_set_governor() without the zone lock, creating a TOCTOU window where a concurrent write to the sysfs governor attribute (e.g., /sys/class/thermal/thermal_zoneN/policy) can modify the governor pointer concurrently, resulting in a use-after-free dereference. The fix introduces thermal_set_governor() calls in both thermal_release() and the registration error path to close both gaps. Affected CPE: cpe:2.3:o:linux:linux_kernel across multiple version branches back to approximately kernel 4.2 per EUVD data.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.140 or later for the 6.6.x stable branch, 6.12.86 or later for the 6.12.x branch, 6.18.27 or later for the 6.18.x branch, 7.0.4 or later for the 7.0.x branch, or any release at or after mainline commit 37a430a2d4e66ec8238da6c7f7e48809bf265e13 (7.1-rc1). Fix commits are available at https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13 and the four related stable-branch commits referenced in NVD. Distribution-specific kernel updates should be obtained from the respective vendor security channels and may already bundle these fixes. As a compensating control prior to patching, restrict write access to sysfs thermal zone governor attributes (typically located at /sys/class/thermal/thermal_zoneN/policy) via udev rules, filesystem ACLs, or an LSM policy such as SELinux or AppArmor, preventing unprivileged users from writing to these files; note that this may interfere with userspace thermal management daemons that depend on dynamic governor switching. Container deployments that do not mount /sys or that use a read-only sysfs bind mount are not exposed to the race condition vector. No additional workarounds for the memory leak path are necessary given its lower severity and the availability of patches.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.158 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.144 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.173 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.144 Affected
Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:5.4.4.5.127 Affected
SUSE Linux Enterprise High Availability Extension 15 SP4 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed

Share

EUVD-2026-32402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy