PatchSiren cyber security CVE debrief
CVE-2026-43332 Git CVE debrief
CVE-2026-43332 affects the Linux kernel thermal subsystem. The vulnerability is an error-path lifecycle bug in thermal_zone_device_register_with_trips(): if registration fails after a thermal zone device has already been registered, the code may skip the same completion wait used during normal unregistration. That can allow the thermal zone object to be freed prematurely when user space has taken a kobject reference, creating a high-impact memory safety risk. The issue is documented as fixed by adding the missing wait_for_completion() call in the registration failure path.
- Vendor
- Git
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-11
Who should care
Linux kernel maintainers, distro security teams, embedded device vendors, and operators of systems that use the kernel thermal subsystem should care. Systems exposing thermal zone interfaces to user space are especially relevant because the bug depends on a user-space reference being present during a registration failure path.
Technical summary
The CVE description states that thermal_zone_device_register_with_trips() can fail after a thermal zone device has already been registered. In that case, the error path must wait for tz->removal completion just like thermal_zone_device_unregister() does. Without that synchronization, thermal_release() may not run before the object is freed, if user space has retained a reference to the thermal zone device's kobject. The reported fix is to add the missing wait_for_completion() call to the registration error path. NVD lists the issue with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High
Recommended defensive actions
- Apply the upstream or vendor kernel patch that adds the missing wait_for_completion() in the thermal zone registration error path.
- Prioritize updates for kernels that include thermal core backports or vendor modifications to the thermal subsystem.
- Verify that your distribution's advisory or backport includes the exact lifecycle fix, not just adjacent thermal changes.
- If you maintain custom kernel trees, review thermal_zone_device_register_with_trips() error handling for the same completion wait used by thermal_zone_device_unregister().
Evidence notes
This debrief is based only on the supplied CVE description, NVD metadata, and the linked kernel.org stable references. The core fact pattern is: a failed thermal zone registration path can omit a completion wait, which may let tz be freed prematurely if user space still holds a kobject reference. NVD metadata provides the severity and CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The five supplied kernel.org stable links are the only patch references provided in the corpus.
Official resources
-
CVE-2026-43332 CVE record
CVE.org
-
CVE-2026-43332 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVE published 2026-05-08T14:16:42.880Z and last modified 2026-05-11T08:16:09.850Z.