Description
In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: prevent counter from being toggled multiple times

Runtime PM counter is incremented / decremented each time the sysfs
enable file is written to.

If user writes 0 to the sysfs enable file multiple times, runtime PM
usage count underflows, generating the following message.

rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!

At the same time, hardware registers end up being accessed with clocks
off in rz_mtu3_terminate_counter() to disable an already disabled
channel.

If user writes 1 to the sysfs enable file multiple times, runtime PM
usage count will be incremented each time, requiring the same number of
0 writes to get it back to 0.

If user writes 0 to the sysfs enable file while PWM is in progress, PWM
is stopped without counter being the owner of the underlying MTU3
channel.

Check against the cached count_is_enabled value and exit if the user
is trying to set the same enable value.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Linux kernel’s rz_mtu3 module, where repeated writes to the sysfs enable file adjust a runtime power‑management counter without bounds checking. Because the kernel does not validate the current counter state before incrementing or decrementing, repeated writes can cause the counter to under‑flow or over‑increment. The resulting counter mis‑management triggers erroneous hardware register accesses, optionally disabling clocks or prematurely stopping PWM operations. This flaw is a counter manipulation vulnerability (CWE‑911).

Affected Systems

Any Linux kernel build that includes the rz_mtu3 driver is affected. The CPES list indicates kernels from Linux 7.0 rc1 through rc6 and all subsequent kernels that include this module may be vulnerable until the fix is applied. No specific version range was formalized in the advisory, so all builds shipping the module could be impacted.

Risk and Exploitability

The vulnerability can be triggered by writing to the /sys/class/rz_mtu3/.../enable file. The likely attack vector is a local attacker who has write access to that sysfs entry; typically this requires local privileged or root access, but the exact privilege level is not explicitly stated in the advisory and is inferred. The EPSS score of <1% indicates a very low probability of exploitation, and the CVSS score of 5.5 reflects a moderate severity rating. The flaw is not listed in the CISA KEV catalog. Exploitation would result in counter underflow, incorrect clock states, and potential interruption of PWM operations.

Generated by OpenCVE AI on May 7, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the fixed rz_mtu3 counter logic
  • If an update is not yet available, restrict write permissions on the /sys/class/rz_mtu3/.../enable file so only trusted users can modify it
  • Before writing to the enable file, read its current state and avoid writing the same value multiple times; ensure idempotent writes
  • Monitor kernel logs for "Runtime PM usage count underflow" messages and take corrective action if repeated errors occur

Generated by OpenCVE AI on May 7, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: prevent counter from being toggled multiple times Runtime PM counter is incremented / decremented each time the sysfs enable file is written to. If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message. rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow! At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel. If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0. If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel. Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.
Title counter: rz-mtu3-cnt: prevent counter from being toggled multiple times
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:51.833Z

Reserved: 2026-03-09T15:48:24.138Z

Link: CVE-2026-31741

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:36.820

Modified: 2026-05-07T19:55:42.487

Link: CVE-2026-31741

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31741 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:45:24Z

Weaknesses