Description
In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix thermal zone governor cleanup issues

If thermal_zone_device_register_with_trips() fails after adding
a thermal governor to the thermal zone being registered, the
governor is not removed from it as appropriate which may lead to
a memory leak.

In turn, thermal_zone_device_unregister() calls thermal_set_governor()
without acquiring the thermal zone lock beforehand which may race with
a governor update via sysfs and may lead to a use-after-free in that
case.

Address these issues by adding two thermal_set_governor() calls, one to
thermal_release() to remove the governor from the given thermal zone,
and one to the thermal zone registration error path to cover failures
preceding the thermal zone device registration.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s thermal core subsystem. When a thermal governor is added to a thermal zone and the subsequent device registration fails, the governor is not removed, resulting in a memory leak. Additionally, the unregistration routine calls thermal_set_governor() without acquiring the thermal zone lock, which can race with concurrent sysfs updates and lead to a use‑after‑free. These flaws create a kernel‑level weakness that could allow a privileged local attacker to crash the kernel or execute arbitrary code if the freed object is reused maliciously.

Affected Systems

All Linux kernel builds that ship the thermal core subsystem and have not incorporated the referenced commits are affected. The fix is present in the commits linked above, so any kernel newer than those points is protected. Systems running unpatched Linux kernels of any vendor that include the thermal subsystem are at risk.

Risk and Exploitability

Based on the description, the likely attack vector is local privilege escalation via the sysfs thermal interface. The CVSS score of 7.0 indicates a high severity, and EPSS is unavailable. The absence of a remote exploitation path combined with the kernel‑level impact suggests a moderate‑to‑high risk. The vulnerability is not listed in the CISA KEV catalog and no public exploit is known, however the use‑after‑free could allow code execution if an attacker can arrange the race condition or provoke the failure path.

Generated by OpenCVE AI on May 28, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the thermal zone governor cleanup fixes, which remove governors on failure.
  • Ensure that all calls to thermal_set_governor() are protected by the thermal zone lock, as implemented in the fix, to eliminate the race condition (CWE‑825).
  • Reboot the system so that the updated kernel and its fixes take effect.
  • Configure log monitoring to alert on kernel panics or abnormal thermal subsystem behavior that may indicate residual issues.

Generated by OpenCVE AI on May 28, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak. In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case. Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration.
Title thermal: core: Fix thermal zone governor cleanup issues
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:31.554Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46021

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.567

Modified: 2026-06-16T15:55:42.373

Link: CVE-2026-46021

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46021 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:11Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-825

    Expired Pointer Dereference