Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel pm8916_lbc power supply driver allows a race condition where the power_supply handle is freed before the IRQ handler is unregistered, causing a use‑after‑free in power_supply_changed(). Based on the description, this can crash the system or silently corrupt memory. The likely attack vector is a hardware interrupt during device removal or probe, which may be triggered by a hot‑plug event or normal device operation.

Affected Systems

All Linux kernel builds that include the pm8916_lbc driver before the patch that changes the order of IRQ registration and power_supply registration are affected. Vendor: Linux; Product: Linux Kernel power supply driver; specific affected versions are those before the commit referenced in the advisory.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is not available; the vulnerability is not listed in CISA KEV. Because it requires an interrupt that occurs during kernel‑level operations, exploitation is limited to privileged or device‑manipulation scenarios. Nonetheless, successful exploitation would result in a kernel panic or memory corruption, a high‑impact outcome. The overall risk is moderate to high, warranting prompt mitigation.

Generated by OpenCVE AI on May 27, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for pm8916_lbc (e.g., commit 08e674e9 or newer).
  • If an update is not yet available, apply the vendor‑provided patch that reorders the IRQ request to occur after the power_supply handle registration.
  • Verify that device removal and probe code do not trigger IRQs before the driver’s power_supply registration or after its unregistration, and disable interrupts if necessary until the registration sequence is complete.

Generated by OpenCVE AI on May 27, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:54.812Z

Reserved: 2026-05-13T15:03:33.087Z

Link: CVE-2026-45938

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.977

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses