Description
In the Linux kernel, the following vulnerability has been resolved:

Revert "hwmon: (ibmpex) fix use-after-free in high/low store"

This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d.

Jean Delvare points out that the patch does not completely
fix the reported problem, that it in fact introduces a
(new) race condition, and that it may actually not be needed in
the first place.

Various AI reviews agree. Specific and relevant AI feedback:

"
This reordering sets the driver data to NULL before removing the sensor
attributes in the loop below.

ibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but
does not check if it is NULL before dereferencing it to access
data->sensors[].

If a userspace process reads a sensor file (like temp1_input) while this
delete function is running, could it race with the dev_set_drvdata(...,
NULL) call here and crash in ibmpex_show_sensor()?

Would it be safer to keep the original order where device_remove_file() is
called before clearing the driver data? device_remove_file() should wait
for any active sysfs callbacks to complete, which might already prevent the
use-after-free this patch intends to fix.
"

Revert the offending patch. If it can be shown that the originally reported
alleged race condition does indeed exist, it can always be re-introduced
with a complete fix.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IBM PEX hardware monitoring driver in the Linux kernel contains a race condition that can lead to a null pointer dereference. When a userspace process reads a sensor file at the same time the driver is being unloaded, the driver data is cleared to NULL before the sysfs callback finishes, causing the kernel to crash. This results in a denial‑of‑service affecting the entire system.

Affected Systems

All Linux kernel builds that include the ibmpex driver are potentially impacted. No specific vendor version is listed, and the issue is present wherever the driver is compiled into the kernel.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need local access or privileged users to trigger the race condition, for example by repeatedly reading sensor files while the driver is being removed. Successful exploitation would result in a kernel crash and a system‑wide denial of service.

Generated by OpenCVE AI on May 28, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that reverts the offending patch and restores correct driver behavior.
  • If an update cannot be applied immediately, unload or blacklist the ibmpex kernel module so that the sensor files are not exposed and no userspace process can read them during removal.
  • As a temporary measure, restrict or remove read permissions on the relevant sysfs entries (e.g., temp*_input) to prevent accidental access while the driver is being unloaded.

Generated by OpenCVE AI on May 28, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Thu, 28 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Revert "hwmon: (ibmpex) fix use-after-free in high/low store" This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d. Jean Delvare points out that the patch does not completely fix the reported problem, that it in fact introduces a (new) race condition, and that it may actually not be needed in the first place. Various AI reviews agree. Specific and relevant AI feedback: " This reordering sets the driver data to NULL before removing the sensor attributes in the loop below. ibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but does not check if it is NULL before dereferencing it to access data->sensors[]. If a userspace process reads a sensor file (like temp1_input) while this delete function is running, could it race with the dev_set_drvdata(..., NULL) call here and crash in ibmpex_show_sensor()? Would it be safer to keep the original order where device_remove_file() is called before clearing the driver data? device_remove_file() should wait for any active sysfs callbacks to complete, which might already prevent the use-after-free this patch intends to fix. " Revert the offending patch. If it can be shown that the originally reported alleged race condition does indeed exist, it can always be re-introduced with a complete fix.
Title Revert "hwmon: (ibmpex) fix use-after-free in high/low store"
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:29.426Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45914

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.180

Modified: 2026-06-17T10:52:43.323

Link: CVE-2026-45914

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45914 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:30:15Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition