CVE-2026-46246

Summary

In the Linux kernel, the following vulnerability has been resolved:

power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler

Using the devm_ variant for requesting IRQ before the devm_ variant for allocating/registering the extcon handle, means that the extcon handle will be deallocated/unregistered before the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just after the extcon handle has been freed, but just before the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling extcon_set_state_sync() with a freed extcon handle. Which usually crashes the system or otherwise silently corrupts the memory…

Fix this racy use-after-free by making sure the IRQ is requested after the registration of the extcon handle.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf8d7a3d21160a0cab4d15b81231f2a76b0fcee13 < 9fab0120907e6965168e55b1e17cb9dfaf262b86affected
LinuxLinuxf8d7a3d21160a0cab4d15b81231f2a76b0fcee13 < 47abfc207ab02cf1297257e282e8048da63f0d08affected
LinuxLinuxf8d7a3d21160a0cab4d15b81231f2a76b0fcee13 < 48e0f68b50c344bb2d78d65dd98f93e41276ee00affected
LinuxLinuxf8d7a3d21160a0cab4d15b81231f2a76b0fcee13 < 23067259919663580c6f81801847cfc7bd54fd1faffected
LinuxLinux6.7affected
LinuxLinux0 < 6.7unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.14 <= 6.18.*unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References