CVE-2026-45879 - Vulnerability Details

- power: supply: bq25980: Fix use-after-free in power_supply_changed()

Description

In the Linux kernel, the following vulnerability has been resolved:

power: supply: bq25980: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Linux kernel’s bq25980 power supply driver allows an interrupt to be processed after the driver’s power_supply structure has been freed or before it is fully initialized. The interrupt handler then calls power_supply_changed() with an invalid pointer, causing a kernel crash or silent memory corruption. The crash is a direct denial of service, and the memory corruption could potentially lead to further issues, though the risk of privilege escalation is not explicitly described.

Affected Systems

Any Linux system using a kernel that includes the bq25980 driver without the upstream patch. The flaw exists in all kernel versions prior to the commit that orders IRQ registration after power_supply registration, so most custom or older kernels are affected.

Risk and Exploitability

The CVSS score is not publicly listed and EPSS is not available, but the vulnerability appears solely exploitable with local or physical access to the device. No KEV listing indicates no widespread exploitation yet. Because a kernel crash compromises system availability and the memory corruption could potentially lead to further issues, the risk is considered high relative to typical local faults.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 86f93dfb23f5bf4f285c4256a7e909d222f7de56
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 0560a4b09c92e2ecaa883965cf6f9ca51c158ff9
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 0de95d29d847c6217b7d5845e24a71a4aee7b359
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 4aeaf03c17260415c2fdd55992f9ad4188d5455a
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< abea607ff2f62f4c0a5fb29f7fbdaaab163276a4
`5069185fc18e810715a91d80fcd075e03add600c`	affected	< 5f0b1cb41906e86b64bf69f5ededb83b0d757c27

Linux

affected

Version	Status	Constraints
`5.10`	affected	—
`0`	unaffected	< 5.10
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5069185fc18e810715a91d80fcd075e03add600c,86f93dfb23f5bf4f285c4256a7e909d222f7de56)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,0560a4b09c92e2ecaa883965cf6f9ca51c158ff9)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,0de95d29d847c6217b7d5845e24a71a4aee7b359)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,4aeaf03c17260415c2fdd55992f9ad4188d5455a)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,abea607ff2f62f4c0a5fb29f7fbdaaab163276a4)`	affected	code_commit	—
`[5069185fc18e810715a91d80fcd075e03add600c,5f0b1cb41906e86b64f69f5ededb83b0d757c27)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.10`	affected	generic	—
`[0,5.10)`	unaffected	generic	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that orders the devm calls so the IRQ is requested only after the power_supply handle is registered and freed
Upgrade the system kernel to a release that includes this patch, such as the latest stable release from the vendor or upstream
If an immediate kernel upgrade is not possible, disable the bq25980 driver in the kernel configuration or remove its interrupts from the system

Generated by OpenCVE AI on May 28, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c
https://git.kernel.org/stable/c/0560a4b09c92e2ecaa883965cf6f9ca51c158ff9
https://git.kernel.org/stable/c/0de95d29d847c6217b7d5845e24a71a4aee7b359
https://git.kernel.org/stable/c/16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f
https://git.kernel.org/stable/c/4aeaf03c17260415c2fdd55992f9ad4188d5455a
https://git.kernel.org/stable/c/5f0b1cb41906e86b64bf69f5ededb83b0d757c27
https://git.kernel.org/stable/c/86f93dfb23f5bf4f285c4256a7e909d222f7de56
https://git.kernel.org/stable/c/abea607ff2f62f4c0a5fb29f7fbdaaab163276a4
https://lore.kernel.org/linux-cve-announce/2026052715-CVE-2026-45879-24a2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45879
https://www.cve.org/CVERecord?id=CVE-2026-45879

History

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026052715-CVE-2026-45879-24a2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45879 https://www.cve.org/CVERecord?id=CVE-2026-45879

Wed, 27 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25980: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, but just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle uninitialized in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title		power: supply: bq25980: Fix use-after-free in power_supply_changed()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c https://git.kernel.org/stable/c/0560a4b09c92e2ecaa883965cf6f9ca51c158ff9 https://git.kernel.org/stable/c/0de95d29d847c6217b7d5845e24a71a4aee7b359 https://git.kernel.org/stable/c/16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f https://git.kernel.org/stable/c/4aeaf03c17260415c2fdd55992f9ad4188d5455a https://git.kernel.org/stable/c/5f0b1cb41906e86b64bf69f5ededb83b0d757c27 https://git.kernel.org/stable/c/86f93dfb23f5bf4f285c4256a7e909d222f7de56 https://git.kernel.org/stable/c/abea607ff2f62f4c0a5fb29f7fbdaaab163276a4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:16:50.137Z

Updated: 2026-05-27T12:16:50.137Z

Reserved: 2026-05-13T15:03:33.081Z

Link: CVE-2026-45879

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:01.677

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45879

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45879 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T14:00:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object