CVE-2026-45906 Linux CVE debrief

Who should care

Linux kernel maintainers, embedded systems developers using NXP PF1550 PMIC, security teams tracking kernel driver vulnerabilities, organizations running Linux on hardware with PF1550 power management IC

Technical summary

The PF1550 power supply driver in the Linux kernel contains a use-after-free vulnerability caused by incorrect ordering of devm-managed resource allocations. The driver calls devm_request_irq() before devm_power_supply_register(), which violates proper teardown ordering since devm resources are freed in LIFO order. During driver removal, this creates a race window between power_supply handle deallocation and IRQ handler unregistration where a pending interrupt can dereference freed memory. The vulnerability also exposes an initialization race during probe() where interrupts may fire before power_supply handle is fully initialized. The fix reorders allocations to register power_supply before requesting IRQ, ensuring that IRQ teardown completes before power_supply deallocation.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches (see ref-4, ref-5)
• Prioritize patching systems using PF1550 power management IC
• Monitor for kernel oops/panics in power supply subsystem logs
• Review other drivers for similar devm resource ordering issues

Evidence notes

Vulnerability description confirms race condition in devm resource ordering. Kernel commit references (ref-4, ref-5) provide patch implementation. No CVSS score assigned; NVD status is 'Awaiting Analysis'.

Official resources