CVE-2026-45936 Linux CVE debrief

Who should care

Organizations running Linux systems with Goldfish power supply driver enabled, particularly Android emulator environments and embedded systems using Goldfish virtualization. Kernel maintainers and distributors should prioritize backporting the fix commits to stable branches.

Technical summary

The Goldfish power supply driver in the Linux kernel incorrectly ordered devm_ resource allocations, requesting the IRQ before registering the power_supply handle. Since devm_ resources are freed in reverse allocation order, this caused the power_supply to be freed before the IRQ handler was unregistered during driver removal. An interrupt firing in this window calls power_supply_changed() with a freed pointer, causing crashes or memory corruption. A similar race exists during probe where interrupts could fire before initialization completes. The fix reorders allocations to ensure IRQ request follows power_supply registration, guaranteeing proper teardown sequence.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches once available for your distribution
• Monitor vendor security advisories for updated kernel packages
• If running Android emulator or Goldfish-based systems, prioritize patching due to local attack vector
• Review custom kernel builds for backport of commits reordering devm_power_supply_register and devm_request_irq calls
• Consider enabling kernel hardening features (SLUB_DEBUG, KASAN) to detect use-after-free conditions during testing

Evidence notes

The vulnerability description and fix are sourced from the official CVE record and NVD entry published 2026-05-27. Multiple kernel.org stable tree commits are referenced, indicating backports to various kernel versions. The issue is classified as a use-after-free with system crash or memory corruption impact. No CVSS score has been assigned yet (status: Awaiting Analysis).

Official resources