Description
In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member

The counter driver can use HW channels 1 and 2, while the PWM driver can
use HW channels 0, 1, 2, 3, 4, 6, 7.

The dev member is assigned both by the counter driver and the PWM driver
for channels 1 and 2, to their own struct device instance, overwriting
the previous value.

The sub-drivers race to assign their own struct device pointer to the
same struct rz_mtu3_channel's dev member.

The dev member of struct rz_mtu3_channel is used by the counter
sub-driver for runtime PM.

Depending on the probe order of the counter and PWM sub-drivers, the
dev member may point to the wrong struct device instance, causing the
counter sub-driver to do runtime PM actions on the wrong device.

To fix this, use the parent pointer of the counter, which is assigned
during probe to the correct struct device, not the struct device pointer
inside the shared struct rz_mtu3_channel.
Published: 2026-05-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Linux kernel’s counter and PWM sub‑drivers causes a shared struct to hold an incorrect device pointer. When the counter sub‑driver performs runtime power management, it may act on the wrong struct device instance, potentially disrupting device operation or causing kernel instability. The weakness stems from improper synchronization of shared data and is classified as a race condition (CWE-362) and an incorrect use of shared data structures (CWE-820).

Affected Systems

All Linux kernel deployments that load the counter (rz‑mtu3‑cnt) and PWM drivers. No specific kernel releases are identified in the data, but any kernel that includes these drivers is potentially affected.

Risk and Exploitability

The CVSS score is not provided and EPSS data are unavailable, so the quantifiable severity is unknown. However, the flaw can be triggered by the relative probe order of the two sub‑drivers, which is potentially controllable by an attacker with sufficient local privileges that can influence device initialization. Because the flaw involves internal kernel data structures, it is considered a local‑only vulnerability; exploitation would require local access to the affected system. No workaround or public exploit is currently documented and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 2, 2026 at 10:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that incorporates the fix for the counter and PWM driver race condition.
  • Reboot the system after applying the patch to ensure the new driver configuration takes effect.
  • Verify that the counter driver no longer uses the shared dev member; monitor system logs for any runtime power management errors.

Generated by OpenCVE AI on May 2, 2026 at 10:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7. The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value. The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member. The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM. Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device. To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.
Title counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:36.183Z

Reserved: 2026-03-09T15:48:24.138Z

Link: CVE-2026-31740

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:36.710

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31740

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31740 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:45:09Z

Weaknesses