CVE-2026-46270

Summary

In the Linux kernel, the following vulnerability has been resolved:

power: supply: rt9455: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ before the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered before the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just after the power_supply handle has been freed, but just before the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory…

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing before registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle uninitialized in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested after the registration of the power_supply handle.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfcaffected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < 62d753b916bd500bb269b7078cdab73198ab4718affected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < a39f8f06216f73ef40e71e2fe4ad071964c1fd36affected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < af261f218a7606f93d2c786353d60bb4feb56ef0affected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < 2178dc65d45e2f7bcaa8af8d80d100419bdab251affected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < 64e15155095f39f4dec9b4659da1238ef8fc54d4affected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < 721449a15170fc5f028a7576d7f65b9f60d53482affected
LinuxLinuxe86d69dd786e94046b8f5be7df1b9a8226a40b2a < e2febe375e5ea5afed92f4cd9711bde8f24ee6d2affected
LinuxLinux4.2affected
LinuxLinux0 < 4.2unaffected
LinuxLinux5.10.252 <= 5.10.*unaffected
LinuxLinux5.15.202 <= 5.15.*unaffected
LinuxLinux6.1.165 <= 6.1.*unaffected
LinuxLinux6.6.128 <= 6.6.*unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.14 <= 6.18.*unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References