CVE-2026-45867 Linux CVE debrief

Who should care

Linux kernel maintainers, embedded systems developers using ACT8945A power management ICs, distribution security teams, and organizations running Linux on hardware with ACT8945A components

Technical summary

The ACT8945A power supply driver in the Linux kernel incorrectly orders devm-managed resource allocations. When devm_request_irq() is called before devm_power_supply_register(), the automatic cleanup during driver removal frees the power_supply structure before unregistering the IRQ handler. This creates a window where a pending interrupt can execute the handler with a dangling pointer. The handler's call to power_supply_changed() then operates on freed memory. During probe(), a similar race allows interrupts before power_supply initialization to use uninitialized data. The resolution ensures power_supply registration precedes IRQ request, guaranteeing that IRQ teardown occurs before power_supply destruction.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable trees (commits referenced in source references)
• Verify IRQ registration ordering in custom ACT8945A driver implementations
• Review other power supply drivers for similar devm resource ordering issues
• Monitor kernel logs for crashes during driver probe/removal on ACT8945A-equipped systems

Evidence notes

Vulnerability description and fix details sourced from official CVE record and NVD entry published 2026-05-27. Multiple stable kernel tree commits referenced indicating backports to various kernel versions.

Official resources