Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: rt9455: Fix use-after-free in power_supply_changed()

Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.

Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.
Published: 2026-06-03
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Linux kernel’s power supply driver for RT9455 can cause a use‑after‑free when an interrupt handler is invoked after the power_supply handle has already been freed and before its IRQ is unregistered. This leads to a kernel crash or silent memory corruption, disrupting the entire system. The weakness is a classic use‑after‑free scenario (CWE‑364) and a related improper release of resources violation (CWE‑416).

Affected Systems

The flaw exists in the Linux kernel’s rt9455 power supply module. No specific kernel version ranges are listed, so any kernel build compiling this driver could be impacted.

Risk and Exploitability

The EPSS score is below 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.4 signifies a high severity. Because the flaw requires the driver to be removed while an IRQ is pending, it is reasonable to infer that the attack vector would be local to a privileged user or a process that can trigger driver removal.

Generated by OpenCVE AI on June 9, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that implements the fix where the IRQ request is performed after the power_supply registration.
  • If a kernel upgrade is not immediately possible, disable the rt9455 power‑supply driver or block its IRQ to prevent the use‑after‑free during removal.
  • Enforce least privilege for any operations that can remove or reload the driver, restricting them to privileged users only.

Generated by OpenCVE AI on June 9, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.
Title power: supply: rt9455: Fix use-after-free in power_supply_changed()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-05T06:06:42.204Z

Reserved: 2026-05-13T15:03:33.109Z

Link: CVE-2026-46270

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:28.733

Modified: 2026-06-09T19:52:06.740

Link: CVE-2026-46270

cve-icon Redhat

Severity :

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46270 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:30:14Z

Weaknesses