Description
In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: prevent counter from being toggled multiple times

Runtime PM counter is incremented / decremented each time the sysfs
enable file is written to.

If user writes 0 to the sysfs enable file multiple times, runtime PM
usage count underflows, generating the following message.

rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!

At the same time, hardware registers end up being accessed with clocks
off in rz_mtu3_terminate_counter() to disable an already disabled
channel.

If user writes 1 to the sysfs enable file multiple times, runtime PM
usage count will be incremented each time, requiring the same number of
0 writes to get it back to 0.

If user writes 0 to the sysfs enable file while PWM is in progress, PWM
is stopped without counter being the owner of the underlying MTU3
channel.

Check against the cached count_is_enabled value and exit if the user
is trying to set the same enable value.
Published: 2026-05-01
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Linux kernel’s rz_mtu3 module, where repeated writes to the sysfs enable file adjust a runtime power‑management counter without bounds checking. Because the kernel does not validate the current counter state before incrementing or decrementing, repeated writes can cause the counter to under‑flow or over‑increment. The resulting counter mis‑management triggers erroneous hardware register accesses, optionally disabling clocks or prematurely stopping PWM operations. This flaw is a counter manipulation vulnerability (CWE‑911).

Affected Systems

The vulnerability affects any Linux kernel that includes the rz_mtu3 driver. No specific kernel version range is listed in the advisory, so all builds that ship the module are potentially affected until the counter logic is fixed.

Risk and Exploitability

The vulnerability can only be triggered by a user who can write to the sysfs enable file, which typically requires local privileged or root access. The likely attack vector is a local privileged attacker who performs repeated writes to the enable file—either directly or through a privileged script—to cause the runtime PM counter to mis‑behave. While no EPSS score is available and the flaw is not in the CISA KEV catalog, its absence of counter checks implies a moderate to high likelihood that a locally privileged user could induce a denial of service by disabling hardware functionality or by corrupting the PWM channel. The attack path is straightforward: write the same value to the enable file repeatedly until the counter under‑flows or over‑increments.

Generated by OpenCVE AI on May 2, 2026 at 10:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the fixed rz_mtu3 counter logic
  • If an update is not yet available, restrict write permissions on the /sys/class/rz_mtu3/.../enable file so only trusted users can modify it
  • Before writing to the enable file, read its current state and avoid writing the same value multiple times; ensure idempotent writes
  • Monitor kernel logs for "Runtime PM usage count underflow" messages and take corrective action if repeated errors occur

Generated by OpenCVE AI on May 2, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: prevent counter from being toggled multiple times Runtime PM counter is incremented / decremented each time the sysfs enable file is written to. If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message. rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow! At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel. If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0. If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel. Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.
Title counter: rz-mtu3-cnt: prevent counter from being toggled multiple times
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:36.845Z

Reserved: 2026-03-09T15:48:24.138Z

Link: CVE-2026-31741

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:36.820

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31741

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31741 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:30:40Z

Weaknesses