CVE-2026-23101

Summary

In the Linux kernel, the following vulnerability has been resolved:

leds: led-class: Only Add LED to leds_list when it is fully ready

Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized.

This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the uninitialized led_classdev.set_brightness_work.

This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in:

————[ cut here ]———— WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 … Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998

Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < f7a6df659af777058833802c29b3b7974db5e78aaffected
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < d117fdcb21b05c0e0460261d017b92303cd9ba77affected
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < e90c861411fc84629a240384b0a72830539d3386affected
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < 2757f7748ce2d0fa44112024907bafb37e104d6eaffected
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < da565bf98c9ad0eabcb09fc97859e0b52f98b7c3affected
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < 78822628165f3d817382f67f91129161159ca234affected
LinuxLinuxd23a22a74fded23a12434c9463fe66cec2b0afcd < d1883cefd31752f0504b94c3bcfa1f6d511d6e87affected
LinuxLinux3.7affected
LinuxLinux0 < 3.7unaffected
LinuxLinux5.10.249 <= 5.10.*unaffected
LinuxLinux5.15.199 <= 5.15.*unaffected
LinuxLinux6.1.162 <= 6.1.*unaffected
LinuxLinux6.6.122 <= 6.6.*unaffected
LinuxLinux6.12.68 <= 6.12.*unaffected
LinuxLinux6.18.8 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References