CVE-2026-45882 - Vulnerability Details

- power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed()

Description

In the Linux kernel, the following vulnerability has been resolved:

power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Linux power supply driver for pm8916_bms_vm allows a use‑after‑free of the power_supply handle when an interrupt fires after the driver is unregistered but before the IRQ handler is cleared. The resulting call to power_supply_changed() on a freed object can crash the kernel or silently corrupt memory. The weakness is a classic use‑after‑free that violates kernel memory safety.

Affected Systems

All Linux kernel builds that include the pm8916_bms_vm power supply driver are affected, regardless of distribution. Because the CVE does not list specific kernel versions, any kernel revision that contains this driver prior to the fix is potentially vulnerable.

Risk and Exploitability

The CVSS score for this issue is not provided, but use‑after‑free bugs in the kernel are generally considered high severity due to the potential for system crashes or memory corruption. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. The race condition involves interrupts during driver removal or probe, which could lead to a call to an invalid power_supply handle and result in a crash or silent corruption if an interrupt occurs at the wrong time. Based on the description, an interrupt occurring during driver removal could trigger the issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`098bce1838e0549228c8d426e5de72ec5594b5c4`	affected	< b69bb88e20c6f8e998dff3e13a316207f49d3fa2
`098bce1838e0549228c8d426e5de72ec5594b5c4`	affected	< a8b7117ae3a791c6a328674d05a06cd45d8241bd
`098bce1838e0549228c8d426e5de72ec5594b5c4`	affected	< 17db6b3abd823c9fba3f3413c4f0f432d99d49dc
`098bce1838e0549228c8d426e5de72ec5594b5c4`	affected	< 62914959b35e9a1e29cc0f64cb8cfc5075a5366f

Linux

affected

Version	Status	Constraints
`6.7`	affected	—
`0`	unaffected	< 6.7
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[098bce1838e0549228c8d426e5de72ec5594b5c4,b69bb88e20c6f8e998dff3e13a316207f49d3fa2)`	affected	code_commit	—
`[098bce1838e0549228c8d426e5de72ec5594b5c4,a8b7117ae3a791c6a328674d05a06cd45d8241bd)`	affected	code_commit	—
`[098bce1838e0549228c8d426e5de72ec5594b5c4,17db6b3abd823c9fba3f3413c4f0f432d99d49dc)`	affected	code_commit	—
`[098bce1838e0549228c8d426e5de72ec5594b5c4,62914959b35e9a1e29cc0f64cb8cfc5075a5366f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.7`	affected	semver	—
`[0,6.7)`	unaffected	semver	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that reorders the IRQ request to occur after the power_supply registration.
Rebuild or install a kernel that includes the fixed pm8916_bms_vm driver.
If a patch cannot be applied immediately, disable the pm8916 battery management driver or block its IRQ to prevent the race condition from occurring.

Generated by OpenCVE AI on May 27, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/17db6b3abd823c9fba3f3413c4f0f432d99d49dc
https://git.kernel.org/stable/c/62914959b35e9a1e29cc0f64cb8cfc5075a5366f
https://git.kernel.org/stable/c/a8b7117ae3a791c6a328674d05a06cd45d8241bd
https://git.kernel.org/stable/c/b69bb88e20c6f8e998dff3e13a316207f49d3fa2

History

Wed, 27 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, but just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle uninitialized in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title		power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/17db6b3abd823c9fba3f3413c4f0f432d99d49dc https://git.kernel.org/stable/c/62914959b35e9a1e29cc0f64cb8cfc5075a5366f https://git.kernel.org/stable/c/a8b7117ae3a791c6a328674d05a06cd45d8241bd https://git.kernel.org/stable/c/b69bb88e20c6f8e998dff3e13a316207f49d3fa2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:16:55.144Z

Updated: 2026-05-27T12:16:55.144Z

Reserved: 2026-05-13T15:03:33.082Z

Link: CVE-2026-45882

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:02.047

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45882

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:15:37Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object