CVE-2026-45916 - Vulnerability Details

- power: supply: sbs-battery: Fix use-after-free in power_supply_changed()

Description

In the Linux kernel, the following vulnerability has been resolved:

power: supply: sbs-battery: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle. Keep the old behavior of
just printing a warning in case of any failures during the IRQ request
and finishing the probe successfully.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is in the Linux power_supply subsystem, specifically the sbs‐battery driver. An improper ordering between a devm_ IRQ request and a devm_ power_supply handle registration creates a race condition. When the driver is removed or during probe, an IRQ can fire after the power_supply handle has been freed or before it is fully registered. The interrupt handler then calls power_supply_changed() with a dangling or uninitialized pointer, causing the kernel to crash or silently corrupt memory, potentially enabling privilege escalation or denial of service at kernel level.

Affected Systems

The vulnerability exists in any Linux kernel that includes the sbs‑battery power_supply driver and has not yet applied the fix identified by commit 14d4dee5d8fb361bfff275832087254beab66d72. The affected products are generic Linux kernels; no specific versions are enumerated, so all distributions shipping impacted kernel code are susceptible.

Risk and Exploitability

Exploitation requires triggering an interrupt during driver removal or probe, which is a local privilege escalation scenario that can lead to system crash or memory corruption. EPSS data is not available and the flaw is not listed in the CISA KEV catalog, but the kernel‑level nature of the bug and lack of a mitigation increases the risk. The CVSS score is not provided, yet the impact and potential for full kernel compromise indicate high severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< ca7dd71773e4e050b0fb98768b7eae60f8d1f38b
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< f1f472b14ad56104ba228b8fbec60d5b21829913
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< 8010b745b436c3e1ca5dd960aa29fa3e0f6d8841
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< 2078830c32d1e49ac942c6f8c21f35c806ae5e94
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< 82d3eb97a976c9d56bb92b241397610e57a9c629
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< 861dda7a9074c0ff67788928165ae39d7f647491
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< 14d4dee5d8fb361bfff275832087254beab66d72
`d2cec82c28802da31596b395ad292cb8f132fd63`	affected	< 8d59cf3887fbabacef53bfba473e33e8a8d9d07b

Linux

affected

Version	Status	Constraints
`4.9`	affected	—
`0`	unaffected	< 4.9
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d2cec82c28802da31596b395ad292cb8f132fd63,ca7dd71773e4e050b0fb98768b7eae60f8d1f38b)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,f1f472b14ad56104ba228b8fbec60d5b21829913)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,8010b745b436c3e1ca5dd960aa29fa3e0f6d8841)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,2078830c32d1e49ac942c6f8c21f35c806ae5e94)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,82d3eb97a976c9d56bb92b241397610e57a9c629)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,861dda7a9074c0ff67788928165ae39d7f647491)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,14d4dee5d8fb361bfff275832087254beab66d72)`	affected	generic	—
`[d2cec82c28802da31596b395ad292cb8f132fd63,8d59cf3887fbabacef53bfba473e33e8a8d9d07b)`	affected	generic	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.9`	affected	generic	—
`[0,4.9)`	unaffected	generic	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade your Linux kernel to the latest stable release that contains the CVE‑2026‑45916 fix
If an immediate upgrade is not possible, rebuild the kernel with the patch from commit 14d4dee5d8fb361bfff275832087254beab66d72 and verify stability
As a temporary mitigation, disable or unload the sbs‑battery power_supply driver if it is not required for normal operation

Generated by OpenCVE AI on May 27, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/14d4dee5d8fb361bfff275832087254beab66d72
https://git.kernel.org/stable/c/2078830c32d1e49ac942c6f8c21f35c806ae5e94
https://git.kernel.org/stable/c/8010b745b436c3e1ca5dd960aa29fa3e0f6d8841
https://git.kernel.org/stable/c/82d3eb97a976c9d56bb92b241397610e57a9c629
https://git.kernel.org/stable/c/861dda7a9074c0ff67788928165ae39d7f647491
https://git.kernel.org/stable/c/8d59cf3887fbabacef53bfba473e33e8a8d9d07b
https://git.kernel.org/stable/c/ca7dd71773e4e050b0fb98768b7eae60f8d1f38b
https://git.kernel.org/stable/c/f1f472b14ad56104ba228b8fbec60d5b21829913

History

Wed, 27 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: power: supply: sbs-battery: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, but just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle uninitialized in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Keep the old behavior of just printing a warning in case of any failures during the IRQ request and finishing the probe successfully.
Title		power: supply: sbs-battery: Fix use-after-free in power_supply_changed()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/14d4dee5d8fb361bfff275832087254beab66d72 https://git.kernel.org/stable/c/2078830c32d1e49ac942c6f8c21f35c806ae5e94 https://git.kernel.org/stable/c/8010b745b436c3e1ca5dd960aa29fa3e0f6d8841 https://git.kernel.org/stable/c/82d3eb97a976c9d56bb92b241397610e57a9c629 https://git.kernel.org/stable/c/861dda7a9074c0ff67788928165ae39d7f647491 https://git.kernel.org/stable/c/8d59cf3887fbabacef53bfba473e33e8a8d9d07b https://git.kernel.org/stable/c/ca7dd71773e4e050b0fb98768b7eae60f8d1f38b https://git.kernel.org/stable/c/f1f472b14ad56104ba228b8fbec60d5b21829913

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:32.565Z

Updated: 2026-05-27T12:17:32.565Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45916

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.463

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45916

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object