Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: goldfish: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug occurs in the Linux kernel goldfish power supply driver. A race between IRQ registration and power_supply registration can trigger an interrupt handler after the power_supply handle has been freed, causing power_supply_changed() to access freed memory. This usually results in a kernel crash or silent memory corruption. The weakness is a use‑after‑free race condition.

Affected Systems

The flaw affects any Linux kernel that includes the goldfish power supply driver. No specific kernel version range is supplied; systems running kernel images containing the driver are potentially vulnerable. The affected product is the Linux kernel power supply subsystem.

Risk and Exploitability

The EPSS metric is not available and the vulnerability is not listed in the CISA KEV catalog, yet the nature of the bug—an unprotected use‑after‑free in a privileged kernel function—means an attacker with physical or local code execution on a device using goldfish power supply could trigger a denial of service or potentially leverage memory corruption for escalation. The attack likely requires local interaction with the hardware that can trigger interrupts during driver removal or initialization, so the vector is inferred to be local or hardware.

Generated by OpenCVE AI on May 27, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the goldfish driver fix (e.g., commit 0b29ffe4 or later).
  • Temporarily disable goldfish power supply hotplug or remove the device from the system to prevent the race condition during removal.
  • Configure the system to disable or remove goldfish power supply support (e.g., via kernel configuration or BIOS settings) if a kernel upgrade cannot be performed immediately.

Generated by OpenCVE AI on May 27, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: goldfish: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title power: supply: goldfish: Fix use-after-free in power_supply_changed()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:53.451Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45936

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.740

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:30:38Z

Weaknesses