CVE-2026-23101
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
leds: led-class: Only Add LED to leds_list when it is fully ready
Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized.
This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the uninitialized led_classdev.set_brightness_work.
This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in:
————[ cut here ]———— WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 … Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998
Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < f7a6df659af777058833802c29b3b7974db5e78a | affected |
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < d117fdcb21b05c0e0460261d017b92303cd9ba77 | affected |
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < e90c861411fc84629a240384b0a72830539d3386 | affected |
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < 2757f7748ce2d0fa44112024907bafb37e104d6e | affected |
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < da565bf98c9ad0eabcb09fc97859e0b52f98b7c3 | affected |
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < 78822628165f3d817382f67f91129161159ca234 | affected |
| Linux | Linux | d23a22a74fded23a12434c9463fe66cec2b0afcd < d1883cefd31752f0504b94c3bcfa1f6d511d6e87 | affected |
| Linux | Linux | 3.7 | affected |
| Linux | Linux | 0 < 3.7 | unaffected |
| Linux | Linux | 5.10.249 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.199 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.162 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.122 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.68 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.8 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a
- https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77
- https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386
- https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e
- https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3
- https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234
- https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.