CVE-2026-45885 - Vulnerability Details

- power: supply: cpcap-battery: Fix use-after-free in power_supply_changed()

Description

In the Linux kernel, the following vulnerability has been resolved:

power: supply: cpcap-battery: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the Linux kernel power subsystem where the power supply device allocator deallocates its handle before the interrupt line is unregistered during removal, or may use an uninitialized handle during probe. The resulting use‑after‑free causes the interrupt routine to call power_supply_changed() with a dangling reference, which typically leads to a kernel crash or silent memory corruption that can render the system non‑operational. The flaw falls under the well‑known kernel misuse category of use‑after‑free (CWE‑416).

Affected Systems

All Linux kernel releases that include the cpcap‑battery power supply driver are affected; no explicit version boundaries are provided, so any kernel where this driver follows the described allocation order is vulnerable unless superseded by the fix.

Risk and Exploitability

Based on the description, it is inferred that the attack requires a local user to trigger device removal or probe while an IRQ is pending—implying local privilege or kernel module manipulation is necessary. The CVSS score is not supplied, the EPSS is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Even though the risk remains limited to systems that load the affected driver, a local privilege holder could exploit the flaw to crash the system or corrupt memory, potentially leading to further exploitation if memory corruption is leveraged.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< 3ff75cba1c98349a23a8f9333981deba1972cc11
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< 2ce2334be155bd8bad6377e99984246ce4dbd08c
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< cbb9b07f88a9ef6518934c41eb3e8cf840d657d5
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< 2841bbb5a35c4449c0a0458e8e476b2a62f95147
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< e261be6f18929f2397cd54cd583a2df624c129c1
`874b2adbed1253a11549cb9b7b912ab65fea9cf2`	affected	< 642f33e34b969eedec334738fd5df95d2dc42742

Linux

affected

Version	Status	Constraints
`4.13`	affected	—
`0`	unaffected	< 4.13
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,3ff75cba1c98349a23a8f9333981deba1972cc11)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,2ce2334be155bd8bad6377e99984246ce4dbd08c)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,cbb9b07f88a9ef6518934c41eb3e8cf840d657d5)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,2841bbb5a35c4449c0a0458e8e476b2a62f95147)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,e261be6f18929f2397cd54cd583a2df624c129c1)`	affected	code_commit	—
`[874b2adbed1253a11549cb9b7b912ab65fea9cf2,642f33e34b969eedec334738fd5df95d2dc42742)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.13`	affected	generic	—
`[0,4.13)`	unaffected	generic	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel version that includes the cpcap‑battery use‑after‑free fix.
Reboot the system to ensure the patched driver is loaded and the old instance is fully unloaded.
If the cpcap‑battery driver is not required, disable it by removing the module or preventing the device from being loaded (e.g., via systemd masking or kernel boot parameters).

Generated by OpenCVE AI on May 27, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2841bbb5a35c4449c0a0458e8e476b2a62f95147
https://git.kernel.org/stable/c/2ce2334be155bd8bad6377e99984246ce4dbd08c
https://git.kernel.org/stable/c/3ff75cba1c98349a23a8f9333981deba1972cc11
https://git.kernel.org/stable/c/642f33e34b969eedec334738fd5df95d2dc42742
https://git.kernel.org/stable/c/c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4
https://git.kernel.org/stable/c/cbb9b07f88a9ef6518934c41eb3e8cf840d657d5
https://git.kernel.org/stable/c/e261be6f18929f2397cd54cd583a2df624c129c1
https://git.kernel.org/stable/c/f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-battery: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, but just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle uninitialized in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title		power: supply: cpcap-battery: Fix use-after-free in power_supply_changed()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2841bbb5a35c4449c0a0458e8e476b2a62f95147 https://git.kernel.org/stable/c/2ce2334be155bd8bad6377e99984246ce4dbd08c https://git.kernel.org/stable/c/3ff75cba1c98349a23a8f9333981deba1972cc11 https://git.kernel.org/stable/c/642f33e34b969eedec334738fd5df95d2dc42742 https://git.kernel.org/stable/c/c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4 https://git.kernel.org/stable/c/cbb9b07f88a9ef6518934c41eb3e8cf840d657d5 https://git.kernel.org/stable/c/e261be6f18929f2397cd54cd583a2df624c129c1 https://git.kernel.org/stable/c/f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:16:57.246Z

Updated: 2026-05-27T12:16:57.246Z

Reserved: 2026-05-13T15:03:33.082Z

Link: CVE-2026-45885

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:02.417

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45885

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object