CVE-2026-46073 - Vulnerability Details

- hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt

Description

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt

wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when
interrupted. This needs to abort the URB and return an error. No data
has been received from the device so any reads from the transfer
buffer are invalid.

The original code tests !ret, which only catches the timeout case (0).
On signal delivery (-ERESTARTSYS), !ret is false so the function skips
usb_kill_urb() and falls through to read from the unfilled transfer
buffer.

Fix by capturing the return value into a long (matching the function
return type) and handling signal (negative) and timeout (zero) cases
with separate checks that both call usb_kill_urb() before returning.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel monitors USB transfers for power monitoring. When wait_for_completion_interruptible_timeout is interrupted by a signal, the function should terminate the transfer request by calling usb_kill_urb(). The original code omitted this call for signal deliveries, leaving the transfer active and the buffer unfilled. A subsequent read from the empty buffer can cause the kernel to process invalid data, potentially leading to a crash or memory corruption. The primary consequence is a local denial of service, as the kernel can become unstable if a user‑space process sends a signal during a power‑monitor read.

Affected Systems

This flaw exists in the Linux kernel across all released versions that include the hwmon powerz driver. The vendor is Linux. Exact version ranges are not specified in the advisory, so any kernel that has not applied the recent patch is potentially vulnerable.

Risk and Exploitability

No publicly available exploit is known and the EPSS score is not available, indicating a low probability of widespread exploitation. Because the defect resides in kernel space, its impact is local but can cause a crash when an attacker can trigger a signal during a power‑monitor read. The overall risk is moderate and warrants patching before use in environments where the power monitoring code is active.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< 8b51277eec433d4e724b273a5a5c64e8acfbe405
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< b6cb07f02253bdefd2339e57eaa1428a7b28cd0f
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< d64458784036f5818e22781254b6be299d52a19c
`4381a36abdf1c5c0323c1c51f869dc000115eb20`	affected	< b66437cb20a2d9ef201f40b675569f8ea7787c9f

Linux

affected

Version	Status	Constraints
`6.7`	affected	—
`0`	unaffected	< 6.7
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,8b51277eec433d4e724b273a5a5c64e8acfbe405)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,b6cb07f02253bdefd2339e57eaa1428a7b28cd0f)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,d64458784036f5818e22781254b6be299d52a19c)`	affected	code_commit	—
`[4381a36abdf1c5c0323c1c51f869dc000115eb20,b66437cb20a2d9ef201f40b675569f8ea7787c9f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.7`	affected	semver	—
`[0,6.7)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that includes the changes referenced by the commits 8b51277e and b6cb07f02253bdefd2339e57eaa1428a7b28cd0f
Reboot the system to load the patched kernel
Monitor kernel logs for URB errors or crashes that might indicate a regression or misconfiguration

Generated by OpenCVE AI on May 28, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/8b51277eec433d4e724b273a5a5c64e8acfbe405
https://git.kernel.org/stable/c/b66437cb20a2d9ef201f40b675569f8ea7787c9f
https://git.kernel.org/stable/c/b6cb07f02253bdefd2339e57eaa1428a7b28cd0f
https://git.kernel.org/stable/c/d64458784036f5818e22781254b6be299d52a19c
https://lore.kernel.org/linux-cve-announce/2026052758-CVE-2026-46073-37b0@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46073
https://www.cve.org/CVERecord?id=CVE-2026-46073

History

Thu, 28 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-826
References		https://lore.kernel.org/linux-cve-announce/2026052758-CVE-2026-46073-37b0@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46073 https://www.cve.org/CVERecord?id=CVE-2026-46073

Wed, 27 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when interrupted. This needs to abort the URB and return an error. No data has been received from the device so any reads from the transfer buffer are invalid. The original code tests !ret, which only catches the timeout case (0). On signal delivery (-ERESTARTSYS), !ret is false so the function skips usb_kill_urb() and falls through to read from the unfilled transfer buffer. Fix by capturing the return value into a long (matching the function return type) and handling signal (negative) and timeout (zero) cases with separate checks that both call usb_kill_urb() before returning.
Title		hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/8b51277eec433d4e724b273a5a5c64e8acfbe405 https://git.kernel.org/stable/c/b66437cb20a2d9ef201f40b675569f8ea7787c9f https://git.kernel.org/stable/c/b6cb07f02253bdefd2339e57eaa1428a7b28cd0f https://git.kernel.org/stable/c/d64458784036f5818e22781254b6be299d52a19c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:58:01.478Z

Updated: 2026-05-27T12:58:01.478Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46073

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.607

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46073

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46073 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T04:30:06Z

Weaknesses

CWE-826

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object