CVE-2026-45902 - Vulnerability Details

- power: supply: bq256xx: Fix use-after-free in power_supply_changed()

Description

In the Linux kernel, the following vulnerability has been resolved:

power: supply: bq256xx: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Linux kernel power supply subsystem for bq256xx devices. A race condition allows the interrupt handler to call power_supply_changed() after the power_supply handle has been freed, or before it has been registered. This use‑after‑free can cause a kernel crash or memory corruption, resulting in service interruption or unpredictable system behavior.

Affected Systems

The affected product is the Linux kernel that includes the bq256xx power supply driver for devices using the bq256xx charger. No specific kernel version is listed; the fix is included in kernel releases that reorder IRQ request after driver registration.

Risk and Exploitability

The CVSS score is not provided and EPSS is unavailable, so the exact exploit probability is unknown. The issue requires a hardware interrupt race during driver removal or probe; it is thus likely a local or physical‑access scenario rather than a remote attack vector. The vulnerability can crash the system or corrupt memory but there is no evidence of remote code execution. The lack of a KEV listing suggests no known live exploitation has been observed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< 81d3688c9a2158329391e08f2d0b8ba204216044
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< 74b5a88318db97d51bb40f774736553c2acd1514
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< cb5c743936edcebc51880eeb6bf04979b5c9438b
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< 83c27fdd696ac13d023ef7a0345301be93209c53
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< 4b6fb0b6124f558131e502e3ffd03e6583b3ace6
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< 8796910131a32ff29275052df768ef022929a394
`32e4978bb920d047fe5de3ea42d176f267c01f63`	affected	< 8005843369723d9c8975b7c4202d1b85d6125302

Linux

affected

Version	Status	Constraints
`5.12`	affected	—
`0`	unaffected	< 5.12
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[32e4978bb920d047fe5de3ea42d176f267c01f63,81d3688c9a2158329391e08f2d0b8ba204216044)`	affected	code_commit	—
`[32e4978bb920d047fe5de3ea42d176f267c01f63,74b5a88318db97d51bb40f774736553c2acd1514)`	affected	code_commit	—
`[32e4978bb920d047fe5de3ea42d176f267c01f63,cb5c743936edcebc51880eeb6bf04979b5c9438b)`	affected	code_commit	—
`[32e4978bb920d047fe5de3ea42d176f267c01f63,83c27fdd696ac13d023ef7a0345301be93209c53)`	affected	code_commit	—
`[32e4978bb920d047fe5de3ea42d176f267c01f63,4b6fb0b6124f558131e502e3ffd03e6583b3ace6)`	affected	code_commit	—
`[32e4978bb920d047fe5de3ea42d176f267c01f63,8796910131a32ff29275052df768ef022929a394)`	affected	code_commit	—
`[32e4978bb920d047fe5de3ea42d176f267c01f63,8005843369723d9c8975b7c4202d1b85d6125302)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.12`	affected	generic	—
`[0,5.12)`	unaffected	semver	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release that contains the bq256xx driver race‑condition fix.
If an immediate kernel upgrade is not possible, blacklist or unload the bq256xx driver module to prevent its interrupt handling.
If the device must remain enabled, configure the firmware or system settings to disable power‑supply interrupts during device removal or system shutdown to avoid the race.

Generated by OpenCVE AI on May 27, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4b6fb0b6124f558131e502e3ffd03e6583b3ace6
https://git.kernel.org/stable/c/74b5a88318db97d51bb40f774736553c2acd1514
https://git.kernel.org/stable/c/8005843369723d9c8975b7c4202d1b85d6125302
https://git.kernel.org/stable/c/81d3688c9a2158329391e08f2d0b8ba204216044
https://git.kernel.org/stable/c/83c27fdd696ac13d023ef7a0345301be93209c53
https://git.kernel.org/stable/c/8796910131a32ff29275052df768ef022929a394
https://git.kernel.org/stable/c/cb5c743936edcebc51880eeb6bf04979b5c9438b

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: power: supply: bq256xx: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, but just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle uninitialized in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title		power: supply: bq256xx: Fix use-after-free in power_supply_changed()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4b6fb0b6124f558131e502e3ffd03e6583b3ace6 https://git.kernel.org/stable/c/74b5a88318db97d51bb40f774736553c2acd1514 https://git.kernel.org/stable/c/8005843369723d9c8975b7c4202d1b85d6125302 https://git.kernel.org/stable/c/81d3688c9a2158329391e08f2d0b8ba204216044 https://git.kernel.org/stable/c/83c27fdd696ac13d023ef7a0345301be93209c53 https://git.kernel.org/stable/c/8796910131a32ff29275052df768ef022929a394 https://git.kernel.org/stable/c/cb5c743936edcebc51880eeb6bf04979b5c9438b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:10.508Z

Updated: 2026-05-27T12:17:10.508Z

Reserved: 2026-05-13T15:03:33.084Z

Link: CVE-2026-45902

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:04.583

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45902

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object