CVE-2026-23283 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running kernels with the fp9931 regulator/hwmon driver should review this advisory. Systems that may exercise hardware monitoring paths on affected kernels are the primary concern.

Technical summary

The vulnerability is a missing cleanup path in fp9931_hwmon_read(): if regmap_read() fails, the function returns without calling pm_runtime_put_autosuspend(). That leaves a PM runtime reference outstanding, which can accumulate and impact availability. The CVSS vector provided by NVD is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a locally reachable issue with high availability impact but no confidentiality or integrity impact recorded.

Defensive priority

Medium. This is a kernel availability issue with local prerequisites, but it affects core runtime accounting and should be patched in any environment running the impacted kernel range.

Recommended defensive actions

• Apply the kernel fix referenced by NVD as soon as practical.
• Prioritize upgrading systems on Linux kernel 6.19 through 6.19.7 and any affected 7.0 release candidates.
• Review whether fp9931 hardware monitoring paths are present in your deployed kernel builds.
• Track kernel vendor backports if you rely on a distro-managed kernel rather than mainline.
• Monitor systems for unexplained PM runtime or availability anomalies until patched.

Evidence notes

All statements are based on the supplied CVE record, NVD metadata, and the referenced kernel patch links. The issue description states that pm_runtime_put_autosuspend() was skipped on a regmap_read() error, causing a PM reference leak. NVD lists the affected CPE range for linux_kernel and provides the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. No KEV entry was supplied.

Official resources