Description
In the Linux kernel, the following vulnerability has been resolved:

power: supply: max77705: Free allocated workqueue and fix removal order

Use devm interface for allocating workqueue to fix two bugs at the same
time:

1. Driver leaks the memory on remove(), because the workqueue is not
destroyed.

2. Driver allocates workqueue and then registers interrupt handlers
with devm interface. This means that probe error paths will not use a
reversed order, but first destroy the workqueue and then, via devm
release handlers, free the interrupt.

The interrupt handler schedules work on this exact workqueue, thus if
interrupt is hit in this short time window - after destroying
workqueue, but before devm() frees the interrupt - the schedulled
work will lead to use of freed memory.

Change is not equivalent in the workqueue itself: use non-legacy API
which does not set (__WQ_LEGACY | WQ_MEM_RECLAIM). The workqueue is
used to update power supply (power_supply_changed()) status, thus there
is no point to run it for memory reclaim. Note that dev_name() is not
directly used in second argument to prevent possible unlikely parsing
any "%" character in device name as format.
Published: 2026-06-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the Linux kernel’s max77705 power supply driver allows the driver to free a workqueue before freeing its associated interrupt handlers, creating a short window where an interrupt can schedule work onto a freed workqueue. This results in a use‑after‑free condition that can crash the kernel or potentially be used to exploit privilege escalation, but this conclusion is inferred from the description. Additionally, the driver leaks memory on remove() because the workqueue is not destroyed. Both defects compromise kernel stability and integrity.

Affected Systems

The vulnerability affects Linux kernel implementations that include the max77705 power supply driver. All kernel versions containing this driver are potentially impacted, as no specific version range is listed.

Risk and Exploitability

The EPSS score is 0.00145 (< 1%), and the vulnerability is not listed in the CISA KEV catalog. Since the flaw resides in kernel space and involves driver resource cleanup, the likely attack vector is local privilege escalation or denial of service executed by a user or a compromised application that triggers the driver’s interrupt handling path. The potential for privilege escalation is inferred from the use‑after‑free condition, but this conclusion is not directly stated in the description. In the absence of public exploitation reports, the risk is considered significant but the likelihood of widespread exploitation remains uncertain.

Generated by OpenCVE AI on June 29, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system to a kernel release that includes the patched max77705 driver which uses the devm interface for workqueue allocation.
  • If upgrading is not currently possible, consider disabling or removing the max77705 power supply driver to eliminate the use‑after‑free condition.
  • Continuously monitor system logs for kernel panic or Oops messages related to workqueue usage and reboot the system if instability occurs.

Generated by OpenCVE AI on June 29, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-416

Mon, 29 Jun 2026 12:15:00 +0000


Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CWE-416

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: power: supply: max77705: Free allocated workqueue and fix removal order Use devm interface for allocating workqueue to fix two bugs at the same time: 1. Driver leaks the memory on remove(), because the workqueue is not destroyed. 2. Driver allocates workqueue and then registers interrupt handlers with devm interface. This means that probe error paths will not use a reversed order, but first destroy the workqueue and then, via devm release handlers, free the interrupt. The interrupt handler schedules work on this exact workqueue, thus if interrupt is hit in this short time window - after destroying workqueue, but before devm() frees the interrupt - the schedulled work will lead to use of freed memory. Change is not equivalent in the workqueue itself: use non-legacy API which does not set (__WQ_LEGACY | WQ_MEM_RECLAIM). The workqueue is used to update power supply (power_supply_changed()) status, thus there is no point to run it for memory reclaim. Note that dev_name() is not directly used in second argument to prevent possible unlikely parsing any "%" character in device name as format.
Title power: supply: max77705: Free allocated workqueue and fix removal order
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:41:02.696Z

Reserved: 2026-06-09T07:44:35.397Z

Link: CVE-2026-53308

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53308 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:30:17Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition