CVE-2026-45946 - Vulnerability Details

- power: supply: ab8500: Fix use-after-free in power_supply_changed()

Description

In the Linux kernel, the following vulnerability has been resolved:

power: supply: ab8500: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized
binding") introduced this issue during a refactorization. Fix this racy
use-after-free by making sure the IRQ is requested _after_ the
registration of the `power_supply` handle.

Published: 2026-05-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free race condition in the Linux kernel’s ab8500 power supply driver. During removal or probe, the IRQ handler can be triggered after the power_supply handle has been freed or before it is initialized, causing power_supply_changed() to operate on invalid memory. This flaw can lead to a system crash or hidden memory corruption. The weakness is a classic use‑after‑free, and the improper ordering of resource lifecycle operations reflect CWE‑364.

Affected Systems

The flaw affects all Linux kernel builds that include the ab8500 power supply driver. No specific kernel version list is given in the data, but the issue is introduced by commit 1c1f13a006ed and fixed in subsequent commits. Devices that rely on the ab8500 battery charger controller are therefore impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of <1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no known public exploits. Based on the description, the flaw could be leveraged by a local or privileged attacker who can trigger a power supply interrupt during device removal or initialization, which could result in a kernel crash or memory corruption. The overall risk is therefore a potential local denial of service but without evidence of widespread or remote exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< 43cbb78ee047b9b12d096d40e3be265969d4c1f8
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< 551672981fe227122258a25a385a05f5c0746ad6
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< f50433f2603def08b21a4bf2fd238687fb5cbde9
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< 847eeb6c0efcd76c7def73857cf798a4fcd8f79b
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< 709db4b476e254579d9c48ec34d397a41ca0c407
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< 46dbda27b028d78087667e8280966b99cec015ca
`1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb`	affected	< c4af8a98bb52825a5331ae1d0604c0ea6956ba4b
`341db343768bc44f3512facc464021730d64071c`	affected	—
`5.13.4`	affected	< 5.14

Linux

affected

Version	Status	Constraints
`5.14`	affected	—
`0`	unaffected	< 5.14
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,43cbb78ee047b9b12d096d40e3be265969d4c1f8)`	affected	code_commit	—
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,551672981fe227122258a25a385a05f5c0746ad6)`	affected	code_commit	—
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,f50433f2603def08b21a4bf2fd238687fb5cbde9)`	affected	code_commit	—
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,847eeb6c0efcd76c7def73857cf798a4fcd8f79b)`	affected	code_commit	—
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,709db4b476e254579d9c48ec34d397a41ca0c407)`	affected	code_commit	—
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,46dbda27b028d78087667e8280966b99cec015ca)`	affected	code_commit	—
`[1c1f13a006ed0d71bb5664c8b7e3e77a28da3beb,c4af8a98bb52825a5331ae1d0604c0ea6956ba4b)`	affected	code_commit	—
`341db343768bc44f3512facc464021730d64071c`	affected	code_commit	—
`[5.13.4,5.14)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.14`	affected	semver	—
`[0,5.14)`	unaffected	generic	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit that fixes the race condition in ab8500.
Rebuild or reload the affected kernel modules to ensure the new IRQ handling logic is active.
Check your distribution’s kernel release notes or vendor documentation for the fix addressing the ab8500 race condition.
If a patch is not yet available, consider disabling the ab8500 power supply driver or disabling its IRQs to mitigate the risk temporarily.

Generated by OpenCVE AI on June 16, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00159.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/43cbb78ee047b9b12d096d40e3be265969d4c1f8
https://git.kernel.org/stable/c/46dbda27b028d78087667e8280966b99cec015ca
https://git.kernel.org/stable/c/551672981fe227122258a25a385a05f5c0746ad6
https://git.kernel.org/stable/c/709db4b476e254579d9c48ec34d397a41ca0c407
https://git.kernel.org/stable/c/847eeb6c0efcd76c7def73857cf798a4fcd8f79b
https://git.kernel.org/stable/c/c4af8a98bb52825a5331ae1d0604c0ea6956ba4b
https://git.kernel.org/stable/c/f50433f2603def08b21a4bf2fd238687fb5cbde9
https://lore.kernel.org/linux-cve-announce/2026052730-CVE-2026-45946-705a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45946
https://www.cve.org/CVERecord?id=CVE-2026-45946

History

Tue, 16 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026052730-CVE-2026-45946-705a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45946 https://www.cve.org/CVERecord?id=CVE-2026-45946

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, but just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle uninitialized in `power_supply_changed()`. Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") introduced this issue during a refactorization. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title		power: supply: ab8500: Fix use-after-free in power_supply_changed()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/43cbb78ee047b9b12d096d40e3be265969d4c1f8 https://git.kernel.org/stable/c/46dbda27b028d78087667e8280966b99cec015ca https://git.kernel.org/stable/c/551672981fe227122258a25a385a05f5c0746ad6 https://git.kernel.org/stable/c/709db4b476e254579d9c48ec34d397a41ca0c407 https://git.kernel.org/stable/c/847eeb6c0efcd76c7def73857cf798a4fcd8f79b https://git.kernel.org/stable/c/c4af8a98bb52825a5331ae1d0604c0ea6956ba4b https://git.kernel.org/stable/c/f50433f2603def08b21a4bf2fd238687fb5cbde9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:18:02.708Z

Updated: 2026-05-27T12:18:02.708Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45946

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:10.900

Modified: 2026-06-16T02:36:44.520

Link: CVE-2026-45946

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45946 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

CWE-364
Signal Handler Race Condition
CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object