PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31486 Linux CVE debrief

A race condition in the Linux kernel's PMBus hardware monitoring subsystem could allow local attackers to cause integrity and availability impacts. The vulnerability exists because PMBus regulator operations accessed shared registers and data without mutex protection. The fix introduces mutex protection for voltage operations while avoiding deadlock through a deferred notification worker that processes events outside of the critical section.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-06-01
Advisory published
2026-04-22
Advisory updated
2026-06-01

Who should care

Organizations running Linux systems with PMBus-managed power supplies, voltage regulators, or BMC-attached power hardware; embedded and server platforms using PMBus for power management; kernel maintainers and distribution vendors packaging stable kernel updates

Technical summary

The PMBus hardware monitoring core in the Linux kernel exposed regulator voltage get, set, and list operations that accessed PMBus registers and shared driver data without holding the update_lock mutex. This created a race condition where concurrent operations could corrupt regulator state or produce inconsistent voltage values. Directly adding mutex protection to these functions would cause deadlock because pmbus_regulator_notify() is invoked with the mutex already held from paths such as pmbus_fault_handler(), and regulator callbacks may re-enter the protected voltage functions. The resolution reworks notification delivery to use a workqueue worker that processes pending events from an atomic per-page bitmask outside of the mutex critical section. The worker and its data are initialized during regulator registration and cleaned up via devm_add_action_or_reset() on device removal.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the relevant stable kernel patch for your version stream as referenced in the official kernel Git repositories
  • Upgrade to Linux kernel 6.18.21 or later, 6.19.11 or later, or 7.0 final when available
  • If running custom or long-term support kernels, backport the mutex protection and deferred notification worker changes to the PMBus core regulator code
  • Review systems using PMBus-based power management hardware for unexpected voltage anomalies or system instability that could indicate race condition exploitation
  • Monitor kernel logs for PMBus fault handler or regulator notification errors as potential indicators of trigger attempts

Evidence notes

The vulnerability description was published on 2026-04-22 and modified on 2026-06-01. The issue affects Linux kernel versions from 3.19.1 through 6.18.20, 6.19 through 6.19.10, the 3.19 release, and 7.0 release candidates rc1 through rc7. The CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating a local attack vector with low attack complexity, low privileges required, no user interaction, and high impacts to integrity and availability. The weakness is classified as CWE-667 (Improper Locking). Multiple stable kernel patches are available.

Official resources

2026-04-22