CVE-2026-43332 - Vulnerability Details

- thermal: core: Fix thermal zone device registration error path

Description

In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix thermal zone device registration error path

If thermal_zone_device_register_with_trips() fails after registering
a thermal zone device, it needs to wait for the tz->removal completion
like thermal_zone_device_unregister(), in case user space has managed
to take a reference to the thermal zone device's kobject, in which case
thermal_release() may not be called by the error path itself and tz may
be freed prematurely.

Add the missing wait_for_completion() call to the thermal zone device
registration error path.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s thermal core failed to wait for the completion of a thermal zone device’s removal after a registration failure. As a result, if a thread still holds a reference to the device’s kobject, it may be freed prematurely by another part of the kernel, causing a use‑after‑free. This kernel fault can lead to a crash and bring the system down. Based on the description, it is inferred that the flaw can be triggered by code that forces a thermal zone registration to fail, which typically requires a privileged or local attacker capable of executing kernel‑level code.

Affected Systems

All releases of the Linux kernel built before the applied fix are affected. The vulnerability applies to the entire Linux:Linux product family, and any vendor that ships an unpatched kernel image will be vulnerable. Because the specific version range is not enumerated, any kernel that does not contain the referenced commit is at risk. System administrators should verify that the running kernel contains the fix or upgrade to a newer release that incorporates it.

Risk and Exploitability

The EPSS score is not available and the fault is not listed in the CISA KEV catalog, suggesting that exploitation has not yet been observed in the wild. However, the use‑after‑free is a high‑severity kernel bug, and a local attacker could exploit it to crash the system. The likelihood of exploitation is therefore considered moderate until an exploit is documented, but the potential impact remains high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`335176dd8ebaca6493807dceea33c478305667fa`	affected	< 9e796001af97a1f7368d5114b7a8533dd98d797a
`04e6ccfc93c5a1aa1d75a537cf27e418895e20ea`	affected	< 604da9c04c218362e1c1457304ebeb9c199d537c
`04e6ccfc93c5a1aa1d75a537cf27e418895e20ea`	affected	< c4c7219e93319bba9ba0765dee597784c78f63c5
`04e6ccfc93c5a1aa1d75a537cf27e418895e20ea`	affected	< 4d390f0e507dfb16d58f83a58d78d1150dc8b9d7
`04e6ccfc93c5a1aa1d75a537cf27e418895e20ea`	affected	< 9e07e3b81807edd356e1f794cffa00a428eff443
`02871710b93058eb1249d5847c0b2d1c2c3c98ae`	affected	—

Linux

affected

Version	Status	Constraints
`6.8`	affected	—
`0`	unaffected	< 6.8
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[335176dd8ebaca6493807dceea33c478305667fa,9e796001af97a1f7368d5114b7a8533dd98d797a)`	affected	code_commit	—
`[04e6ccfc93c5a1aa1d75a537cf27e418895e20ea,604da9c04c218362e1c1457304ebeb9c199d537c)`	affected	code_commit	—
`[04e6ccfc93c5a1aa1d75a537cf27e418895e20ea,c4c7219e93319bba9ba0765dee597784c78f63c5)`	affected	code_commit	—
`[04e6ccfc93c5a1aa1d75a537cf27e418895e20ea,4d390f0e507dfb16d58f83a58d78d1150dc8b9d7)`	affected	code_commit	—
`[04e6ccfc93c5a1aa1d75a537cf27e418895e20ea,9e07e3b81807edd356e1f794cffa00a428eff443)`	affected	code_commit	—
`02871710b93058eb1249d5847c0b2d1c2c3c98ae`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.8`	affected	semver	—
`[0,6.8)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix for thermal zone registration error handling
Restart the system to ensure the updated kernel is running
Monitor system logs (e.g., dmesg) for thermal driver errors and verify that no use‑after‑free faults occur

Generated by OpenCVE AI on May 8, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4d390f0e507dfb16d58f83a58d78d1150dc8b9d7
https://git.kernel.org/stable/c/604da9c04c218362e1c1457304ebeb9c199d537c
https://git.kernel.org/stable/c/9e07e3b81807edd356e1f794cffa00a428eff443
https://git.kernel.org/stable/c/9e796001af97a1f7368d5114b7a8533dd98d797a
https://git.kernel.org/stable/c/c4c7219e93319bba9ba0765dee597784c78f63c5

History

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone device registration error path If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device's kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely. Add the missing wait_for_completion() call to the thermal zone device registration error path.
Title		thermal: core: Fix thermal zone device registration error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4d390f0e507dfb16d58f83a58d78d1150dc8b9d7 https://git.kernel.org/stable/c/604da9c04c218362e1c1457304ebeb9c199d537c https://git.kernel.org/stable/c/9e07e3b81807edd356e1f794cffa00a428eff443 https://git.kernel.org/stable/c/9e796001af97a1f7368d5114b7a8533dd98d797a https://git.kernel.org/stable/c/c4c7219e93319bba9ba0765dee597784c78f63c5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:19.460Z

Updated: 2026-05-08T13:31:19.460Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43332

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:42.880

Modified: 2026-05-08T14:16:42.880

Link: CVE-2026-43332

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T23:15:20Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object