Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: pf1550: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.
Published: 2026-05-27
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During removal or probe of the pf1550 power‑supply driver in Linux, a race condition exists because the IRQ is requested before the power_supply handle is allocated. The interrupt handler can therefore invoke power_supply_changed() with a freed or uninitialized handle, leading to a kernel crash or silent memory corruption.

Affected Systems

All Linux kernels that include the pf1550 power‑supply driver prior to the commit that reorders the IRQ request after the power_supply registration are affected. This includes upstream kernels before the fix and any distribution kernels that have not yet applied the patch, on systems that actually load or probe the pf1550 driver.

Risk and Exploitability

No CVSS score or EPSS value is provided, and the vulnerability is classified as a local kernel fault. Exploitation requires local or privileged access to trigger driver removal or to cause an interrupt during probe, making remote exploitation unlikely. The vulnerability is not listed in CISA KEV, indicating no known public exploits at this time. The risk to a non‑patched system remains low unless an attacker can influence the driver lifecycle or interrupt traffic.

Generated by OpenCVE AI on May 27, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that moves request_irq after power_supply registration, as introduced in commit 1bdefeed904f1f17e1f73a4d8a035515f3a9fad8.
  • If an update is not immediately possible, disable or unload the pf1550 driver and remove the associated hardware to eliminate the crash sequence.
  • Monitor kernel logs (e.g., dmesg) for Oops or BUG messages; if such events occur, apply the patch or remove the driver promptly.

Generated by OpenCVE AI on May 27, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: pf1550: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title power: supply: pf1550: Fix use-after-free in power_supply_changed()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:16.142Z

Reserved: 2026-05-13T15:03:33.084Z

Link: CVE-2026-45906

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:05.127

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45906

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45906 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:45:25Z

Weaknesses