Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: ab8500: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized
binding") introduced this issue during a refactorization. Fix this racy
use-after-free by making sure the IRQ is requested _after_ the
registration of the `power_supply` handle.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free race condition in the Linux kernel’s ab8500 power supply driver. During removal or probe, the IRQ handler can be triggered after the power_supply handle has been freed or before it is initialized, causing power_supply_changed() to operate on invalid memory. This flaw can lead to a system crash or hidden memory corruption. The weakness is a classic use‑after‑free, aligning with CWE‑416. While an attacker would need access to trigger the race, the resulting denial of service or potential escalation makes it a serious flaw.

Affected Systems

The flaw affects all Linux kernel builds that include the ab8500 power supply driver. No specific kernel version list is given in the data, but the issue is introduced by commit 1c1f13a006ed and fixed in subsequent commits. Devices that rely on the ab8500 battery charger controller are therefore impacted.

Risk and Exploitability

No CVSS or EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploitation at the time of writing. The risk remains high for denial of service: a local or privileged attacker could intentionally trigger an interrupt during device removal or initialization to crash the system. The lack of a known exploit suggests moderate to high likelihood of use within a trusted environment rather than widespread remote exploitation.

Generated by OpenCVE AI on May 27, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit that fixes the race condition in ab8500.
  • Rebuild or reload the affected kernel modules to ensure the new IRQ handling logic is active.
  • Verify that the system boots cleanly after the update and inspect dmesg or system logs for any remaining power_supply_changed() crashes.

Generated by OpenCVE AI on May 27, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") introduced this issue during a refactorization. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title power: supply: ab8500: Fix use-after-free in power_supply_changed()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:02.708Z

Reserved: 2026-05-13T15:03:33.088Z

Link: CVE-2026-45946

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:10.900

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:30:38Z

Weaknesses