Description
In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member

The counter driver can use HW channels 1 and 2, while the PWM driver can
use HW channels 0, 1, 2, 3, 4, 6, 7.

The dev member is assigned both by the counter driver and the PWM driver
for channels 1 and 2, to their own struct device instance, overwriting
the previous value.

The sub-drivers race to assign their own struct device pointer to the
same struct rz_mtu3_channel's dev member.

The dev member of struct rz_mtu3_channel is used by the counter
sub-driver for runtime PM.

Depending on the probe order of the counter and PWM sub-drivers, the
dev member may point to the wrong struct device instance, causing the
counter sub-driver to do runtime PM actions on the wrong device.

To fix this, use the parent pointer of the counter, which is assigned
during probe to the correct struct device, not the struct device pointer
inside the shared struct rz_mtu3_channel.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition between the Linux counter (rz‑mtu3‑cnt) and PWM drivers causes the shared struct rz_mtu3_channel to hold an incorrect struct device pointer. When the counter driver performs runtime power management it may act on the wrong device instance, potentially leaving a device in an unintended power state or triggering kernel instability. The weakness is a misuse of shared data structures (CWE-820).

Affected Systems

Linux kernel builds that load both the counter and PWM drivers. The affected kernel versions are listed in the supplied CPE strings, including Linux kernel 7.0 release candidates 1 through 6; any other kernel containing these drivers may also be impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog and no public exploits have been disclosed. Because the issue is limited to kernel internal driver coordination, only a local attacker that can influence the loading order of these drivers would be able to trigger it. No remote exploitation pathway is described in the available data.

Generated by OpenCVE AI on May 7, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch that switches to the parent struct device for runtime PM.
  • Restart the system after upgrading to ensure all driver modules are re‑loaded with the corrected code.
  • Verify that the counter driver no longer references the shared dev member by checking kernel logs for warnings about incorrect device power management.

Generated by OpenCVE AI on May 7, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7. The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value. The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member. The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM. Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device. To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.
Title counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:50.719Z

Reserved: 2026-03-09T15:48:24.138Z

Link: CVE-2026-31740

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:36.710

Modified: 2026-05-07T19:56:03.380

Link: CVE-2026-31740

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31740 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:45:24Z

Weaknesses