Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: act8945a: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.
Published: 2026-05-27
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The act8945a power supply driver in the Linux kernel contains a race condition that results in a use‑after‑free of the power_supply handle. The issue arises because the IRQ is requested with the devm_ variant before the devm_ allocation of the power_supply handle, causing the handle to be freed or unregistered while an interrupt can still fire. When the handler runs, power_supply_changed() is called with a freed or uninitialized struct, which normally causes a system crash or silent memory corruption.

Affected Systems

All Linux kernel builds that include the act8945a power supply driver are affected. Since the vulnerability is located in source files that are part of the mainline kernel, any kernel version prior to the patch that loads act8945a is vulnerable. No specific version ranges were provided in the advisory, so all previous releases without the fix are considered at risk.

Risk and Exploitability

The EPSS score for this vulnerability is reported as < 1%, indicating a very low but nonzero probability of exploitation; it is not listed in CISA's KEV catalog. This use‑after‑free flaw, classified as CWE‑364, could allow a locally privileged attacker to trigger an interrupt during device removal or probe, leading to a kernel crash or silent memory corruption. The attack vector is likely local and requires influence over the power supply subsystem to cause the interrupt at the precise race condition.

Generated by OpenCVE AI on May 28, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that includes the act8945a driver fix, ensuring the IRQ request occurs after the power_supply handle registration.
  • If an immediate kernel upgrade is not possible, consider disabling the act8945a driver or the power supply subsystem until the patch can be applied.
  • Monitor system logs for aborted interrupts or crashes related to power_supply_changed() to detect potential exploitation attempts.

Generated by OpenCVE AI on May 28, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Thu, 28 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: act8945a: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title power: supply: act8945a: Fix use-after-free in power_supply_changed()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:15:47.222Z

Reserved: 2026-05-13T15:03:33.080Z

Link: CVE-2026-45867

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:00.023

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45867

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45867 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:15:04Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition